[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[VulnWatch] [PHP] AttilaPHP 3.0 : User/Admin Access
- To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
- Subject: [VulnWatch] [PHP] AttilaPHP 3.0 : User/Admin Access
- From: "Frog Man" <leseulfrog@hotmail.com>
- Date: Tue, 26 Aug 2003 17:08:43 +0200
Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 3.0 (and less ?)
Website : http://www.attila-php.net
Problem : User/Admin Access
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
www/global.php3 :
---------------------------------------------------------------------------------------------------------------------------
function get_identity()
{
global $cook_id, $TABLE_CURRENT_VISITS,$base;
$table=$TABLE_CURRENT_VISITS;
connect_db();
if (!$cook_id) { /** no cookie set? Visitor! **/
add_log("visit",14);
$query="SELECT * FROM $table Where visiteur=14";
$resu2=mysql_db_query($base,$query);
if (mysql_fetch_row($resu2)==0)
{
$query="INSERT INTO $table (id,visiteur) VALUES ('0','14')"; /** If no
entry for visitor, insert one **/
$resu=mysql_db_query($base,$query);
}
$query="SELECT * FROM $table Where visiteur=14";
$resu=mysql_db_query($base,$query);
$row=mysql_fetch_array($resu);
$valid=$row["ID"];
setcookie("cook_id",$valid);
return(14); exit;
}
$query="SELECT * FROM $table Where ID=$cook_id";
$resu=mysql_db_query($base,$query);
$row=mysql_fetch_array($resu);
$visiteur=$row["visiteur"];
return($visiteur);
}
---------------------------------------------------------------------------------------------------------------------------
/user.php3, www/user_action.php3 :
-------------------------------------------------------------------------
$identite=get_identity();
if ($identite==14) {header("Location: http://$weburl/index.php3";); exit;}
-------------------------------------------------------------------------
www/god_action.php3,www/god.php3 :
--------------------------------------------------------------
$identite=get_identity();
if ($identite!=1) {header("Location: http://$weburl";); exit; }
--------------------------------------------------------------
Exploit :
°°°°°°°
Set cookie named "cook_id" with the value "0 OR visiteur=1" on
http://[target]/index.php3 (or any other pages).
Patch :
°°°°°°°
A patch and more details can be found on http://www.phpsecure.info.
In www/global.php3, replace the line :
------------------------------------------------
$query="SELECT * FROM $table Where ID=$cook_id";
------------------------------------------------
by the lines :
--------------------------------------------------
$cook_id = addslashes($cook_id);
$query="SELECT * FROM $table Where ID='$cook_id'";
--------------------------------------------------
frog-m@n
_________________________________________________________________
Hotmail: votre e-mail gratuit ! http://www.fr.msn.be/hotmail