Informations : °°°°°°°°°°°°° Language : PHP Version : 3.0 (and less ?) Website : http://www.attila-php.net Problem : User/Admin Access PHP Code/Location : °°°°°°°°°°°°°°°°°°° www/global.php3 : --------------------------------------------------------------------------------------------------------------------------- function get_identity() { global $cook_id, $TABLE_CURRENT_VISITS,$base; $table=$TABLE_CURRENT_VISITS; connect_db(); if (!$cook_id) { /** no cookie set? Visitor! **/ add_log("visit",14); $query="SELECT * FROM $table Where visiteur=14"; $resu2=mysql_db_query($base,$query); if (mysql_fetch_row($resu2)==0) { $query="INSERT INTO $table (id,visiteur) VALUES ('0','14')"; /** If no entry for visitor, insert one **/ $resu=mysql_db_query($base,$query); } $query="SELECT * FROM $table Where visiteur=14"; $resu=mysql_db_query($base,$query); $row=mysql_fetch_array($resu); $valid=$row["ID"]; setcookie("cook_id",$valid); return(14); exit; } $query="SELECT * FROM $table Where ID=$cook_id"; $resu=mysql_db_query($base,$query); $row=mysql_fetch_array($resu); $visiteur=$row["visiteur"]; return($visiteur); } --------------------------------------------------------------------------------------------------------------------------- /user.php3, www/user_action.php3 : ------------------------------------------------------------------------- $identite=get_identity(); if ($identite==14) {header("Location: http://$weburl/index.php3"); exit;} ------------------------------------------------------------------------- www/god_action.php3,www/god.php3 : -------------------------------------------------------------- $identite=get_identity(); if ($identite!=1) {header("Location: http://$weburl"); exit; } -------------------------------------------------------------- Exploit : °°°°°°° Set cookie named "cook_id" with the value "0 OR visiteur=1" on http://[target]/index.php3 (or any other pages). Patch : °°°°°°° A patch and more details can be found on http://www.phpsecure.info. In www/global.php3, replace the line : ------------------------------------------------ $query="SELECT * FROM $table Where ID=$cook_id"; ------------------------------------------------ by the lines : -------------------------------------------------- $cook_id = addslashes($cook_id); $query="SELECT * FROM $table Where ID='$cook_id'"; -------------------------------------------------- frog-m@n _________________________________________________________________ Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 14:04:52 PDT