lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200307162018.23032.webmaster@securiteinfo.com>
From: webmaster at securiteinfo.com (scrap)
Subject: Digi-news and Digi-ads version 1.1 admin access without password

Digi-news and Digi-ads version 1.1 admin access without password

.oO Overview Oo.
Digi-news and Digi-ads version 1.1 admin access without password
Discovered on 2003, March, 30th
Vendor: Digi-FX

Digi-news 1.1 is a PHP news editor. It allows you to easily add, edit, and 
delete news.
Digi-ad 1.1 is a PHP ad rotator. It allows you to easily add, edit, reset, and 
delete ads.
A vulnerability allows to access to the admin area in both script, without the 
administrator password.
Original text is at 
http://www.securiteinfo.com/attaques/hacking/digi-news1_1.shtml


.oO Details Oo.
In Digi-news or Digi-ad, the admin web page is admin.php
Here is a sample of the admin authentification in this admin.php :

if (!isset($action)) {
   $action = '';
}
if ($action == 'auth') {
   auth();
}
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && 
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
   login();
   exit;
}
Continued as admin logged...


As you can see, the authentification scheme is based on a cookie. This cookie 
contains the user and the MD5 hashed password. But the programmer did a 
mistake :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && 
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
It means that "Admin is authentificated" if "user = user in the cookie" OR 
"password = password in the cookie". In english, it means you don't need the 
admin password as far as you know the admin login !
The default admin login is "admin". If it doesn't work, try these :

    * Admin
    * Administrator
    * administrator
    * Root
    * root
    * the nickname of the admin (if known)
    * the surname of the admin (if known)
    * etc...


.oO Exploit Oo.
Ok, that's quite easy. You just have to send a handwrited cookie with 
user=admin in. You can do that with the well-known Proxomitron

.oO Solution Oo.
The solution is to replace the AND operation by a OR operation, as followed :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) || 
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
The vendor has been informed and solved the problems. Download Digi-News 1.2 
and Digi-ads 1.2 at http://www.digi-fx.net/freescripts.php

.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@...uriteinfo.com
http://www.securiteinfo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ