SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   digi-news Vendors:   digi-FX
digi-news Authentication Error Grants Administrative Access to Remote Users
SecurityTracker Alert ID:  1007218
SecurityTracker URL:  http://securitytracker.com/id/1007218
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 16 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.1
Description:   Arnaud Jacques (scrap) of Securiteinfo.com reported a vulnerability in 'digi-news'. A remote user can gain administrative access to the application.

It is reported that the 'admin.php' page contains a programming error. According to the report, the script will grant administrator access to remote users that have provided either the correct user name (via a cookie) or the correct password. A remote user can set a cookie named 'user' to the administrator's username to gain administrative access to the system. The default administrator username is 'admin', according to the report.

Impact:   A remote user can gain administrative access to the application without supplying the correct password.
Solution:   The vendor has released a fixed version (1.2), available at:

http://www.digi-fx.net/freescripts.php
http://www.digi-fx.net/freebies/digi-news1.2.zip

Vendor URL:  www.digi-fx.net/freescripts.php (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Digi-news and Digi-ads version 1.1 admin access without password



Digi-news and Digi-ads version 1.1 admin access without password

.oO Overview Oo.
Digi-news and Digi-ads version 1.1 admin access without password
Discovered on 2003, March, 30th
Vendor: Digi-FX

Digi-news 1.1 is a PHP news editor. It allows you to easily add, edit, and
delete news.
Digi-ad 1.1 is a PHP ad rotator. It allows you to easily add, edit, reset, and
delete ads.
A vulnerability allows to access to the admin area in both script, without the
administrator password.
Original text is at
http://www.securiteinfo.com/attaques/hacking/digi-news1_1.shtml


.oO Details Oo.
In Digi-news or Digi-ad, the admin web page is admin.php
Here is a sample of the admin authentification in this admin.php :

if (!isset($action)) {
    $action = '';
}
if ($action == 'auth') {
    auth();
}
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) &&
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
    login();
    exit;
}
Continued as admin logged...


As you can see, the authentification scheme is based on a cookie. This cookie
contains the user and the MD5 hashed password. But the programmer did a
mistake :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) &&
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
It means that "Admin is authentificated" if "user = user in the cookie" OR
"password = password in the cookie". In english, it means you don't need the
admin password as far as you know the admin login !
The default admin login is "admin". If it doesn't work, try these :

     * Admin
     * Administrator
     * administrator
     * Root
     * root
     * the nickname of the admin (if known)
     * the surname of the admin (if known)
     * etc...


.oO Exploit Oo.
Ok, that's quite easy. You just have to send a handwrited cookie with
user=admin in. You can do that with the well-known Proxomitron

.oO Solution Oo.
The solution is to replace the AND operation by a OR operation, as followed :
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) ||
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {
The vendor has been informed and solved the problems. Download Digi-News 1.2
and Digi-ads 1.2 at http://www.digi-fx.net/freescripts.php

.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC