Informations : °°°°°°°°°°°°°° Language : PHP Website : http://www.aldweb.com/ Version : 1.9, 2.0, 2.1, 2.2 (and less ?) Problem : Admin Access PHP Code/Location : °°°°°°°°°°°°°°°°°°° admin/admin.php : ----------------------------------------------------------------------------------------------------------------------------- [...] $portalname = "miniPortailAdmin"; $cookiedata = "adminok"; include("mdp.php"); if (md5($pass) == $mdp) { setcookie($portalname, $cookiedata); } elseif ($logout == 1) { setcookie($portalname, ""); header("location:../index.php"); } $chemin = "../"; include($chemin."inc/includes.inc"); if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && empty($pg)) { include($chemin."inc/hpage.inc"); htable($admin1, "100%"); [...] } elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) { if (file_exists("inc/".$pg.".inc")) { $chemin = "../"; include("inc/".$pg.".inc"); } [...] ----------------------------------------------------------------------------------------------------------------------------- Exploit : °°°°°°° Set a cookie named miniPortailAdmin with for value "adminok" on http://[target]/admin/admin.php Solution : °°°°°°°°° A patch has been created and can be found on http://www.phpsecure.info . In admin/admin.php, replace the lines : ------------------------------------------------------------------------------------------- [...] $portalname = "miniPortailAdmin"; $cookiedata = "adminok"; include("mdp.php"); if (md5($pass) == $mdp) { setcookie($portalname, $cookiedata); } elseif ($logout == 1) { setcookie($portalname, ""); header("location:../index.php"); } $chemin = "../"; include($chemin."inc/includes.inc"); if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && empty($pg)) { [...] ------------------------------------------------------------------------------------------- by : --------------------------------------------------------------------------------------- include("mdp.php"); session_start(); $miniPortailAdmin = ""; if (md5($pass) == $mdp) { $miniPortailAdmin = "adminok"; session_register("miniPortailAdmin"); } elseif ($logout == 1) { session_unregister("miniPortailAdmin"); header("location:../index.php"); } $chemin = "../"; include($chemin."inc/includes.inc"); if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) && empty($pg)) { --------------------------------------------------------------------------------------- and the line : ------------------------------------------------------------------------ elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) { ------------------------------------------------------------------------ by : -------------------------------------------------------------------- elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) { -------------------------------------------------------------------- More Details : °°°°°°°°°°°° In French : http://www.frog-man.org/tutos/miniPortail.txt frog-m@n _________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.fr.msn.be
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 08:55:03 PDT