PHP Stat Administrative User Authentication Bypass

From: SoulBlack Group (soulblacktm_at_gmail.com)
Date: 05/27/05

  • Next message: sp3x: "PostNuke Critical SQL Injection and XSS 0.750=>x"
    Date: Fri, 27 May 2005 01:45:03 -0300
    To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, news@securiteam.com, sec@soulblack.com.ar, bugs@securitytracker.com, submissions@packetstormsecurity.org, vuln@secunia.com, alerts_advisories@net-security.org
    
    

    ===========================================================

    ============================================================
    Title: PHP Stat
    Vulnerability discovery: SoulBlack - Security Research -
    http://soulblack.com.ar
    Date: 25/05/2005
    Severity: Medium. PHP Stat Administrative User Authentication Bypass
    Affected version: unkown
    vendor: http://phpstat.sourceforge.net/journal/
    ============================================================

    ============================================================

    * Summary *

    PhpStat is a set of PHP scripts that can analyze, sort, and generate
    statistics on IM
    log files from different clients and store the data in a database. It
    also allows for
    users to read their own logs.

    -------------------------------------------------------------

    * Problem Description *

    The bug reside in $check var in setup.php.

    Vulnerable Code

    include("config.php");
    include("$path_data/setup.php");
    $check = $_REQUEST['check'];
    $pass = $_REQUEST['pass'];
    $user = $_REQUEST['user'];
    if ($check == "admin" && $pass == $password && $user == $username) {
    showsetup();
    } elseif (($check == "admin") && ($pass != $password || $user != $username)) {
    adminerror();
    } elseif ($check == "yes") {
    write($_REQUEST);
    } else {
    admin();

    /*

    when it sends a "yes" in setup.php this call to the function "write()"

    */

    function write($_REQUEST) {
    include("config.php");
     .
     .
     .
     .
     $admin = strtolower($_REQUEST['admin']);
     $username = strtolower($_REQUEST['username']);
     $password = strtolower($_REQUEST['password']);
     $fp = fopen("$path_data/setup.php", "wb") or die ("The File
    \"$path_data/setup.php\" does not exist");
     flock( $fp, 2);
     fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
    \"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
    = \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
    \"$font_size\";\n\$color = \"$color\";\n\$font_style =
    \"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
    = \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
    \"$username\";\n\$password = \"$password\";\n?>");
     flock( $fp, 1);
     fclose ($fp);

    where we you see

     setup.php?check=yes&username=admin&password=admin

    -------------------------------------------------------------

    * POC *

    http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt

    -------------------------------------------------------------

    * Fix *

      Use .htaccess or contact Vendor.

    -------------------------------------------------------------

    * References *

    http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt

    -------------------------------------------------------------

    * Credits *

    Vulnerability reported by SoulBlack Security Research

    ============================================================

    --
    SoulBlack - Security Research
    http://www.soulblack.com.ar
    

  • Next message: sp3x: "PostNuke Critical SQL Injection and XSS 0.750=>x"

    Relevant Pages