miniPortail (PHP) : Admin Access

["Frog Man" <leseulfrog () hotmail com>]

Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.aldweb.com/
Version : 1.9, 2.0, 2.1, 2.2 (and less ?)
Problem : Admin Access


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

admin/admin.php :

-----------------------------------------------------------------------------------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");

if (md5($pass) == $mdp) {
 setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
 setcookie($portalname, "");
 header("location:../index.php");
}

$chemin = "../";
include($chemin."inc/includes.inc");

if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && 
empty($pg)) {
 include($chemin."inc/hpage.inc");
 htable($admin1, "100%");

[...]

}
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
 if (file_exists("inc/".$pg.".inc")) {
   $chemin = "../";
   include("inc/".$pg.".inc");
 }
[...]
-----------------------------------------------------------------------------------------------------------------------------


Exploit :
°°°°°°°
Set a cookie named miniPortailAdmin with for value "adminok" on 
http://[target]/admin/admin.php


Solution :
°°°°°°°°°

A patch has been created and can be found on http://www.phpsecure.info .


In admin/admin.php, replace the lines :
-------------------------------------------------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");

if (md5($pass) == $mdp) {
 setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
 setcookie($portalname, "");
 header("location:../index.php");
}

$chemin = "../";
include($chemin."inc/includes.inc");

if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && 
empty($pg)) {
[...]
-------------------------------------------------------------------------------------------

by :

---------------------------------------------------------------------------------------
include("mdp.php");
session_start();
$miniPortailAdmin = "";

if (md5($pass) == $mdp) {
 $miniPortailAdmin = "adminok";
 session_register("miniPortailAdmin");
}
elseif ($logout == 1) {
 session_unregister("miniPortailAdmin");
 header("location:../index.php");
}

$chemin = "../";
include($chemin."inc/includes.inc");

if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) && 
empty($pg)) {
---------------------------------------------------------------------------------------

and the line :

------------------------------------------------------------------------
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
------------------------------------------------------------------------

by :

--------------------------------------------------------------------
elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) {
--------------------------------------------------------------------



More Details :
°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/miniPortail.txt



frog-m@n

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://search.fr.msn.be