lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 8 Mar 2007 00:16:38 -0000
From: sn0oPy.team@...il.com
To: bugtraq@...urityfocus.com
Subject: dynaliens v2.0/v2.1 bypass admin authentification + XSS

* dynaliens v2.0/v2.1 bypass admin authentification + XSS

* By : sn0oPy

* Risk : high

* site :  http://www.spiderforce.fr.st/

* Dork : inurl:"/dynaliens"

* exploit :

         normaly when we add "/admin" to the link, like that http://www.target.ma/dynaliens/admin we are face to face with a restricted zone area, but if we add "validlien.php3" after the admin folder we are redirected to the consol admin without authentification.

the AUTH_USER is present just in/for the index :


if ($auth == 0)
{
	if(!$PHP_AUTH_USER)
	{
	Header("WWW-authenticate: basic realm=\"$domaine\"");
	Header("HTTP/1.0 401 Unauthorized");
	
	// Ci dessous le code qui est affiché si l'on click le bouton Cancel

	EnteteADMIN();

....

		if ($PHP_AUTH_USER==$login && $PHP_AUTH_PW==$pwd)
		{
			if (@mysql_connect ($cfgHote, $cfgUser, $cfgPass))
			{
				$sql = "SELECT * FROM $tb_rub";
				$sql = mysql_db_query($cfgBase,$sql);
				$nbrub = mysql_num_rows($sql);

				$sql2 = "SELECT * FROM $tb_liens WHERE valid=0";
				$sql2 = mysql_db_query($cfgBase,$sql2);
				$addlien = mysql_num_rows($sql2);

				$sql3 = "SELECT * FROM $tb_liens WHERE valid=1";
				$sql3 = mysql_db_query($cfgBase,$sql3);
				$dellien = mysql_num_rows($sql3);

				EnteteADMIN();

				br(4);

				echo "<center>";
				DebutTableau("#FFFFFF", "1", "0", "30%");
				DebutTableau("#5A6BA5", "20", "0", "100%");

				echo "<center>";
				echo "<font color='#FDFC65'><b>CONSOLE D'ADMINISTRATION</b></font>";
				echo "</center>";



you can do it with any one of this files when the admin has forget to reedit his files:

validlien.php3
supprlien.php3
supprub.php3
validlien.php3
confsuppr.php3
modiflien.php3
confmodif.php3
                    




XSS : http://www.target.ma/dynaliens/recherche.php3
XSS : http://www.target.ma/dynaliens/ajouter.php3

* contact : sn0oPy@...nir-geopolitique.net

* greetz : [subzero], Avg Team(forums.avenir-geopolitique.net).

* Reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2722

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ