[VulnWatch] [PHP] AttilaPHP 3.0 : User/Admin Access

From: Frog Man (leseulfrog_at_hotmail.com)
Date: 08/26/03


To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Date: Tue, 26 Aug 2003 17:08:43 +0200

Informations :
같같같같같같
Language : PHP
Version : 3.0 (and less ?)
Website : http://www.attila-php.net
Problem : User/Admin Access

PHP Code/Location :
같같같같같같같같같

www/global.php3 :

---------------------------------------------------------------------------------------------------------------------------
function get_identity()
{
global $cook_id, $TABLE_CURRENT_VISITS,$base;
$table=$TABLE_CURRENT_VISITS;

connect_db();

if (!$cook_id) { /** no cookie set? Visitor! **/

        add_log("visit",14);
        $query="SELECT * FROM $table Where visiteur=14";
        $resu2=mysql_db_query($base,$query);
        if (mysql_fetch_row($resu2)==0)
                {
                $query="INSERT INTO $table (id,visiteur) VALUES ('0','14')"; /** If no
entry for visitor, insert one **/
                $resu=mysql_db_query($base,$query);
                }

        $query="SELECT * FROM $table Where visiteur=14";
        $resu=mysql_db_query($base,$query);
        $row=mysql_fetch_array($resu);
        $valid=$row["ID"];
        setcookie("cook_id",$valid);
        return(14); exit;

        }

$query="SELECT * FROM $table Where ID=$cook_id";
$resu=mysql_db_query($base,$query);
$row=mysql_fetch_array($resu);
$visiteur=$row["visiteur"];
return($visiteur);

}
---------------------------------------------------------------------------------------------------------------------------

/user.php3, www/user_action.php3 :

-------------------------------------------------------------------------
$identite=get_identity();
if ($identite==14) {header("Location: http://$weburl/index.php3"); exit;}
-------------------------------------------------------------------------

www/god_action.php3,www/god.php3 :

--------------------------------------------------------------
$identite=get_identity();
if ($identite!=1) {header("Location: http://$weburl"); exit; }
--------------------------------------------------------------

Exploit :
같같같

Set cookie named "cook_id" with the value "0 OR visiteur=1" on
http://[target]/index.php3 (or any other pages).

Patch :
같같같
A patch and more details can be found on http://www.phpsecure.info.

In www/global.php3, replace the line :
------------------------------------------------
$query="SELECT * FROM $table Where ID=$cook_id";
------------------------------------------------

by the lines :

--------------------------------------------------
$cook_id = addslashes($cook_id);
$query="SELECT * FROM $table Where ID='$cook_id'";
--------------------------------------------------

frog-m@n

_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail



Relevant Pages

  • Re: Web Animation and Sound Advice Sought
    ... upon someone landing on my website, ... My blog program is a php program that makes use of a mysql database. ... linux (and the linux server supports all sorts of php). ... $500+ Premiere software -- at least on my first brief experimenting ...
    (misc.writing)
  • Re: PHP5 and class inheritance question
    ... handle pointing to a memory address where information is stored, this php ... handle points to a symbol table entry where information is stored. ... A pointer contains a memory address, ... references behave differently (which BTW is explicitly mentioned in the ...
    (comp.lang.php)
  • Re: Furthering my education in OOP - where/how can one learn professional skills?
    ... but I am not proud of the rather amateurish ... implement them in a website. ... is PHP the best language to use to learn and implement the full ... power of OOP? ...
    (comp.lang.php)
  • Re: Where to define functions as global?
    ... I'm building a website with PHP and MySQL. ... This is a scripting language, ...
    (alt.php)
  • Re: Restricting access to a website
    ... If, for example, my website is www .lahdedah. ... Yes or no would do and a PHP ... It can all be done in the Apache ... work on a shared server for a number of reasons - like he doesn't have access to the firewall configuration and the firewall is web host blind - it doesn't know that the request should be restricted only for one of the sites on the server, ...
    (comp.lang.php)