[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities
From:       chburchert () web ! de
Date:       2005-10-21 20:34:23
Message-ID: 20051021203423.12297.qmail () securityfocus ! com
[Download RAW message or body]

aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities

Software: aRCHILLES Newsworld
Vulnerable versions: <= 1.5.0-rc1
Type: Information Disclosure, Login Bypass
Risk: Critical
Date: 21st October 2005
Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de)


Credit:
=======
These vulnerabilities were found by Christoph 'Chb' Burchert from \
http://www.incast-security.de/.


Description:
============
Newsworld is a simple newssystem with two access-levels and comfortable \
web-administration interface. It is possible to create password protected users who \
can post news. Newsworld saves its data in textfiles so no SQL-database is necessary.



Vulnerability 1: Information Disclosure
========================================
Vulnerable up to version 1.5.0-rc1.

Due to the fact that Newsworld saves the userdata in textfiles it is possible to \
access this file to gain information about users. The useraccounts are in the \
account.nwd and have the following format:

Until version 1.3.0:
1#admin#098f6bcd4621d373cade4e832627b4f6#admin@server.home.net#2#N#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#

From version 1.3.0 up to 1.5.0-rc1:
1#admin#098f6bcd4621d373cade4e832627b4f6#webmaster@server.home.net#2#N#Y#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#Uploadright?#

As you can see this information should not be available. With this information you \
can maybe bypass the login, see Vulnerability 2 for more information concerning this.

You find the account.nwd on the following places:
1.0.1: /accound.nwd
Since 1.1.0: /data/account.nwd


Vulnerability 2: Login Bypass
========================================
Vulnerable up to version 1.3.0.

If you gained the userinformation and the version is beneath 1.3.1 you may bypass the \
login to gain access to the administration interface. But you cannot use the hash of \
the password for the login panel because the script hashs the input and compares it \
with the hash in the account.nwd. There is still a way to get into the \
administration. You can access the admin_news.php with its parameters to get in:

http://localhost/newsworld-1.3.0/admin_news.php?action=console&id=<uid>&usr=<username>&pwd=<passwordhash>



Vulnerability 3: Login Bypass
========================================
Vulnerable beyond version 1.3.0.

From version 1.3.1 the script uses sessions for the administration panel. But due to \
the fact that the sessions are also saved in a file called session.nwd. This means \
you can copy the session id of an user who is currently online. The session.nwd has \
the following format:

3f3ea289d28b7e3472bdd1cfe5810ea0#1#admin#098f6bcd4621d373cade4e832627b4f6#1129918447
SessionID#UserID#Username#PasswordHash#Timestamp for timelimit

So copy the session id and call the script as follows:
http://localhost/newsworld-1.3.2/admin_news.php?action=console&PHPSESSID=<sessionid>
Then you may be in the administration.



Solution for Vulnerability 1:
========================================
Create a .htaccess:
"<FilesMatch \account.nwd$>
deny from all
</FilesMatch>"


Solution for Vulnerability 2:
========================================
You could hash the password twice beforce writing into the account.nwd. Then hash it \
the second time in admin_news.php (the parameter) and check it then. If somebody \
tries to get in through the parameters it will not work because the hash will be \
hashed again and then it is not the same as in the account.nwd.


Solution for Vulnerability 3:
========================================
Create a .htaccess:
"<FilesMatch \session.nwd$>
deny from all
</FilesMatch>"



Greetings:
========================================
Greets fly out to cracki, triple6 and all people from www.incast-security.de.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic