Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   phpStat Vendors:
phpStat 'setup.php' Lets Remote Users Modify the Administrative Password
SecurityTracker Alert ID:  1014064
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2005
Impact:   Modification of authentication information, User access via network
Exploit Included:  Yes  

Description:   SoulBlack Security Research reported a vulnerability in phpStat. A remote user can gain administrative access to the application.

A remote user can supply a specially crafted URL to cause 'setup.php' to reset the password on a username. Then, the remote user can login using the specified password.

A demonstration exploit URL is provided:


A demonstration exploit is available at:

The original advisory is available at:

Impact:   A remote user can change the administrative password and access the application.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  PHP Stat Administrative User Authentication Bypass


Title: PHP Stat
Vulnerability discovery: SoulBlack - Security Research -
Date: 25/05/2005
Severity: Medium. PHP Stat Administrative User Authentication Bypass
Affected version: unkown


* Summary *

PhpStat is a set of PHP scripts that can analyze, sort, and generate
statistics on IM
log files from different clients and store the data in a database. It
also allows for
users to read their own logs.


* Problem Description *

The bug reside in $check var in setup.php.

Vulnerable Code

$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
} elseif ($check == "yes") {
} else {


when it sends a "yes" in setup.php this call to the function "write()"


function write($_REQUEST) {
 $admin = strtolower($_REQUEST['admin']);
 $username = strtolower($_REQUEST['username']);
 $password = strtolower($_REQUEST['password']);
 $fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
 flock( $fp, 2);
 fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
 flock( $fp, 1);
 fclose ($fp);

where we you see



* POC *


* Fix *

  Use .htaccess or contact Vendor.


* References *


* Credits *

Vulnerability reported by SoulBlack Security Research


SoulBlack - Security Research

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC