SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  phpStat Vendors:  phpstat.sourceforge.net
phpStat 'setup.php' Lets Remote Users Modify the Administrative Password
SecurityTracker Alert ID:  1014064
SecurityTracker URL:  http://securitytracker.com/id?1014064
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2005
Impact:  Modification of authentication information, User access via network
Exploit Included:  Yes  
Description:  SoulBlack Security Research reported a vulnerability in phpStat. A remote user can gain administrative access to the application.

A remote user can supply a specially crafted URL to cause 'setup.php' to reset the password on a username. Then, the remote user can login using the specified password.

A demonstration exploit URL is provided:

setup.php?check=yes&username=admin&password=admin

A demonstration exploit is available at:

http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt

The original advisory is available at:

http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt
Impact:  A remote user can change the administrative password and access the application.
Solution:  No solution was available at the time of this entry.
Vendor URL:  phpstat.sourceforge.net/journal/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  SoulBlack Group <soulblacktm@gmail.com>
Message History:   None.

 Source Message Contents
Date:  Fri, 27 May 2005 01:45:03 -0300
From:  SoulBlack Group <soulblacktm@gmail.com>
Subject:  PHP Stat Administrative User Authentication Bypass

 
 
===========================================================
 
============================================================
Title: PHP Stat
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 25/05/2005
Severity: Medium. PHP Stat Administrative User Authentication Bypass
Affected version: unkown
vendor: http://phpstat.sourceforge.net/journal/
============================================================
 
============================================================
 
* Summary *
 
PhpStat is a set of PHP scripts that can analyze, sort, and generate
statistics on IM
log files from different clients and store the data in a database. It
also allows for
users to read their own logs.
 
-------------------------------------------------------------
 
* Problem Description *
 
The bug reside in $check var in setup.php.
 
Vulnerable Code
 
include("config.php");
include("$path_data/setup.php");
$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
showsetup();
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
adminerror();
} elseif ($check == "yes") {
write($_REQUEST);
} else {
admin();
 
 
/*
 
when it sends a "yes" in setup.php this call to the function "write()"
 
*/
 
function write($_REQUEST) {
include("config.php");
 .
 .
 .
 .
 $admin = strtolower($_REQUEST['admin']);
 $username = strtolower($_REQUEST['username']);
 $password = strtolower($_REQUEST['password']);
 $fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
 flock( $fp, 2);
 fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
 flock( $fp, 1);
 fclose ($fp);
 
 
where we you see
 
 setup.php?check=yes&username=admin&password=admin
 
 
-------------------------------------------------------------
 
* POC *
 
http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt
 
-------------------------------------------------------------
 
* Fix *
 
  Use .htaccess or contact Vendor.
 
-------------------------------------------------------------
 
* References *
 
http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt
 
-------------------------------------------------------------
 
* Credits *
 
Vulnerability reported by SoulBlack Security Research
 
============================================================
 
--
SoulBlack - Security Research
http://www.soulblack.com.ar


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC