Overview

Digi-news and Digi-ads version 1.1 admin access without password
Discovered on 2003, March, 30th
Vendor: Digi-FX

Digi-news 1.1 is a PHP news editor. It allows you to easily add, edit, and delete news.
Digi-ad 1.1 is a PHP ad rotator. It allows you to easily add, edit, reset, and delete ads.
A vulnerability allows to access to the admin area in both script, without the administrator password.

Risk

Exploit easiness
Vulnerability spreading
Impact
Risk

Details

In Digi-news or Digi-ad, the admin web page is admin.php
Here is a sample of the admin authentification in this admin.php :

if (!isset($action)) {
   $action = '';
}
if ($action == 'auth') {
   auth();
}
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
   login();
   exit;
}
Continued as admin logged...


As you can see, the authentification scheme is based on a cookie. This cookie contains the user and the MD5 hashed password. But the programmer did a mistake :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
It means that "Admin is authentificated" if "user = user in the cookie" OR "password = password in the cookie". In english, it means you don't need the admin password as far as you know the admin login !
The default admin login is "admin". If it doesn't work, try these :

• Admin
• Administrator
• administrator
• Root
• root
• the nickname of the admin (if known)
• the surname of the admin (if known)
• etc...

Exploit

Ok, that's quite easy. You just have to send a handwrited cookie with user=admin in. You can do that with the well-known Proxomitron. Here is a proof of concept :

Solution

The solution is to replace the AND operation by a OR operation, as followed :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) || (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
The vendor has been informed and solved the problems. Download Digi-News 1.2 and Digi-ads 1.2

Discovered by

Arnaud Jacques aka scrap
webmaster@securiteinfo.com

Tags

RECHERCHE DE VULNERABILITÉS SITE WEB AUTHENTIFICATION MOT DE PASSE

Inscription à notre lettre d'information

Inscrivez-vous à notre lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.

SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...