|
 |
|
 |
|
Digi-news and Digi-ads version 1.1 admin access without password
|
|
 |
|
 |
Overview
Digi-news and Digi-ads version 1.1 admin access without password
Discovered on 2003, March, 30th
Vendor: Digi-FX
Digi-news 1.1 is a PHP news editor. It allows you to easily add, edit, and delete news.
Digi-ad 1.1 is a PHP ad rotator. It allows you to easily add, edit, reset, and delete ads.
A vulnerability allows to access to the admin area in both script, without the administrator password.
Risk
| Exploit easiness |
 |
| Vulnerability spreading |
 |
| Impact |
|
| Risk |
|
Details
In Digi-news or Digi-ad, the admin web page is admin.php
Here is a sample of the admin authentification in this admin.php :
if (!isset($action)) {
$action = '';
}
if ($action == 'auth') {
auth();
}
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
login();
exit;
}
Continued as admin logged...
As you can see, the authentification scheme is based on a cookie. This cookie contains the user and the MD5 hashed password.
But the programmer did a mistake :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
It means that "Admin is authentificated" if "user = user in the cookie" OR "password = password in the cookie".
In english, it means you don't need the admin password as far as you know the admin login !
The default admin login is "admin". If it doesn't work, try these :
- Admin
- Administrator
- administrator
- Root
- root
- the nickname of the admin (if known)
- the surname of the admin (if known)
- etc...
Exploit
Ok, that's quite easy. You just have to send a handwrited cookie with user=admin in.
You can do that with the well-known Proxomitron.
Here is a proof of concept :
Regular HTTP GET command
You get the authentification page
Personalized HTTP GET command with the "user" cookie
You get the admin page !
Solution
The solution is to replace the AND operation by a OR operation, as followed :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) || (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
The vendor has been informed and solved the problems. Download Digi-News 1.2 and Digi-ads 1.2
Discovered by
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com
|
|
