lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070222102117.30154.qmail@securityfocus.com>
Date: 22 Feb 2007 10:21:17 -0000
From: r.verton@...il.com
To: bugtraq@...urityfocus.com
Subject: WebSpell > 4.0 Authentication Bypass and arbitrary code execution

WebSpell Authentication Bypass and arbitrary code execution
	
    Vendor 	: WebSpell
    URL 	: http://www.webspell.org/
    Version 	: All
    Risk 	: SQL Injection, unchecked file upload

Description:
webSPELL is a free Content Management System (CMS) for clans and gaming communities, providing all needed features like forums, 
gallery, clanwar system. Because of some serious flaws in the login and cookie-handling function, login can be easily bypassed and 
arbitrary php code executed via uploading a php file.
Notes: magic_quotes_gpc() has to be set OFF

Details:
Due to an SQL Injection via the sended 'ws_auth' cookie, WebSpell is vulnerable to an Authentication Bypass. 

$login_per_cookie = false;

if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {

 $login_per_cookie = true;

 $_SESSION['ws_auth'] = $_COOKIE['ws_auth'];

}



systeminc('login');

[...]

if(stristr($_SESSION['ws_auth'], "userid")===FALSE){

    $authent = explode(":", $_SESSION['ws_auth']);

           $ws_user = $authent[0];

	  $ws_pwd = $authent[1];

           $check = safe_query("SELECT userID FROM ".PREFIX."user WHERE userID='$ws_user' AND password='$ws_pwd'");

	  while($ds=mysql_fetch_array($check)) {

             $loggedin=true;

	    $userID=$ds['userID'];

      }
}

As seen in the above codee, the Cookie 'ws_auth' is divided into two parts: The userid and the password.
With the following cookie you can bypass this function and login as admin(userid 1):

1;' OR '1'='1

When 'logged in' an PHP-file with arbitrary code can be uploaded via the "add squad" feature.

Solution:
    Use mysql_real_escape_String() or addslashes() for the safe_query()

Credits:
    Robin Verton < r.verton at gmail com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ