[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities
From: chburchert () web ! de
Date: 2005-10-21 20:34:23
Message-ID: 20051021203423.12297.qmail () securityfocus ! com
[Download RAW message or body]
aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities
Software: aRCHILLES Newsworld
Vulnerable versions: <= 1.5.0-rc1
Type: Information Disclosure, Login Bypass
Risk: Critical
Date: 21st October 2005
Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de)
Credit:
=======
These vulnerabilities were found by Christoph 'Chb' Burchert from \
http://www.incast-security.de/.
Description:
============
Newsworld is a simple newssystem with two access-levels and comfortable \
web-administration interface. It is possible to create password protected users who \
can post news. Newsworld saves its data in textfiles so no SQL-database is necessary.
Vulnerability 1: Information Disclosure
========================================
Vulnerable up to version 1.5.0-rc1.
Due to the fact that Newsworld saves the userdata in textfiles it is possible to \
access this file to gain information about users. The useraccounts are in the \
account.nwd and have the following format:
Until version 1.3.0:
1#admin#098f6bcd4621d373cade4e832627b4f6#admin@server.home.net#2#N#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#
From version 1.3.0 up to 1.5.0-rc1:
1#admin#098f6bcd4621d373cade4e832627b4f6#webmaster@server.home.net#2#N#Y#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#Uploadright?#
As you can see this information should not be available. With this information you \
can maybe bypass the login, see Vulnerability 2 for more information concerning this.
You find the account.nwd on the following places:
1.0.1: /accound.nwd
Since 1.1.0: /data/account.nwd
Vulnerability 2: Login Bypass
========================================
Vulnerable up to version 1.3.0.
If you gained the userinformation and the version is beneath 1.3.1 you may bypass the \
login to gain access to the administration interface. But you cannot use the hash of \
the password for the login panel because the script hashs the input and compares it \
with the hash in the account.nwd. There is still a way to get into the \
administration. You can access the admin_news.php with its parameters to get in:
http://localhost/newsworld-1.3.0/admin_news.php?action=console&id=<uid>&usr=<username>&pwd=<passwordhash>
Vulnerability 3: Login Bypass
========================================
Vulnerable beyond version 1.3.0.
From version 1.3.1 the script uses sessions for the administration panel. But due to \
the fact that the sessions are also saved in a file called session.nwd. This means \
you can copy the session id of an user who is currently online. The session.nwd has \
the following format:
3f3ea289d28b7e3472bdd1cfe5810ea0#1#admin#098f6bcd4621d373cade4e832627b4f6#1129918447
SessionID#UserID#Username#PasswordHash#Timestamp for timelimit
So copy the session id and call the script as follows:
http://localhost/newsworld-1.3.2/admin_news.php?action=console&PHPSESSID=<sessionid>
Then you may be in the administration.
Solution for Vulnerability 1:
========================================
Create a .htaccess:
"<FilesMatch \account.nwd$>
deny from all
</FilesMatch>"
Solution for Vulnerability 2:
========================================
You could hash the password twice beforce writing into the account.nwd. Then hash it \
the second time in admin_news.php (the parameter) and check it then. If somebody \
tries to get in through the parameters it will not work because the hash will be \
hashed again and then it is not the same as in the account.nwd.
Solution for Vulnerability 3:
========================================
Create a .htaccess:
"<FilesMatch \session.nwd$>
deny from all
</FilesMatch>"
Greetings:
========================================
Greets fly out to cracki, triple6 and all people from www.incast-security.de.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic