phpWebLog Administrator Authentication Bypass Vulnerability

phpWebLog is an Open Source web news management system, authored by Jason Hines. A problem exists which can allow users administrative access to the management interface.

The problem occurs in the script. The $CONF array in the script is incorrectly initialized, and transforms all values within the array to the first character of the last value, which is language. The authentication scheme uses the md5 hash of the Sitekey, which due to being contained in the $CONF variable, is set to the first letter of the language value. The authentication scheme additionally uses another md5 hash of the ROT-13 of the Sitekey as a cryptographic cookie. The combination of these problems creates a situation where it is possible for a malicious user to guess the Sitekey (normally the first letter of the language of the admin), produce a custom crafted password and cookie, and take administrative control of the message board.


Privacy Statement
Copyright 2010, SecurityFocus