BugTraq
Back to list
|
Post reply
miniPortail (PHP) : Admin Access
May 08 2003 03:35PM
Frog Man (leseulfrog hotmail com)
Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.aldweb.com/
Version : 1.9, 2.0, 2.1, 2.2 (and less ?)
Problem : Admin Access
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
admin/admin.php :
------------------------------------------------------------------------
-----------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");
if (md5($pass) == $mdp) {
setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
setcookie($portalname, "");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) &&
empty($pg)) {
include($chemin."inc/hpage.inc");
htable($admin1, "100%");
[...]
}
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
if (file_exists("inc/".$pg.".inc")) {
$chemin = "../";
include("inc/".$pg.".inc");
}
[...]
------------------------------------------------------------------------
-----------------------------------------------------
Exploit :
°°°°°°°
Set a cookie named miniPortailAdmin with for value "adminok" on
http://[target]/admin/admin.php
Solution :
°°°°°°°°°
A patch has been created and can be found on http://www.phpsecure.info .
In admin/admin.php, replace the lines :
------------------------------------------------------------------------
-------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");
if (md5($pass) == $mdp) {
setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
setcookie($portalname, "");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) &&
empty($pg)) {
[...]
------------------------------------------------------------------------
-------------------
by :
------------------------------------------------------------------------
---------------
include("mdp.php");
session_start();
$miniPortailAdmin = "";
if (md5($pass) == $mdp) {
$miniPortailAdmin = "adminok";
session_register("miniPortailAdmin");
}
elseif ($logout == 1) {
session_unregister("miniPortailAdmin");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) &&
empty($pg)) {
------------------------------------------------------------------------
---------------
and the line :
------------------------------------------------------------------------
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
------------------------------------------------------------------------
by :
--------------------------------------------------------------------
elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) {
--------------------------------------------------------------------
More Details :
°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/miniPortail.txt
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.fr.msn.be
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.aldweb.com/
Version : 1.9, 2.0, 2.1, 2.2 (and less ?)
Problem : Admin Access
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
admin/admin.php :
------------------------------------------------------------------------
-----------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");
if (md5($pass) == $mdp) {
setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
setcookie($portalname, "");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) &&
empty($pg)) {
include($chemin."inc/hpage.inc");
htable($admin1, "100%");
[...]
}
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
if (file_exists("inc/".$pg.".inc")) {
$chemin = "../";
include("inc/".$pg.".inc");
}
[...]
------------------------------------------------------------------------
-----------------------------------------------------
Exploit :
°°°°°°°
Set a cookie named miniPortailAdmin with for value "adminok" on
http://[target]/admin/admin.php
Solution :
°°°°°°°°°
A patch has been created and can be found on http://www.phpsecure.info .
In admin/admin.php, replace the lines :
------------------------------------------------------------------------
-------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");
if (md5($pass) == $mdp) {
setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
setcookie($portalname, "");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) &&
empty($pg)) {
[...]
------------------------------------------------------------------------
-------------------
by :
------------------------------------------------------------------------
---------------
include("mdp.php");
session_start();
$miniPortailAdmin = "";
if (md5($pass) == $mdp) {
$miniPortailAdmin = "adminok";
session_register("miniPortailAdmin");
}
elseif ($logout == 1) {
session_unregister("miniPortailAdmin");
header("location:../index.php");
}
$chemin = "../";
include($chemin."inc/includes.inc");
if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) &&
empty($pg)) {
------------------------------------------------------------------------
---------------
and the line :
------------------------------------------------------------------------
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
------------------------------------------------------------------------
by :
--------------------------------------------------------------------
elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) {
--------------------------------------------------------------------
More Details :
°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/miniPortail.txt
frog-m@n
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !
http://search.fr.msn.be
[ reply ]