ECSHOP latest cookie validation is not strict vulnerability-vulnerability warning-the black bar safety net

2013-07-30T00:00:00
ID MYHACK58:62201339954
Type myhack58
Reporter mOon
Modified 2013-07-30T00:00:00

Description

This vulnerability is what we in the non-authorization safety assessment when found. Is one ecshop station, by the conventional 0day broke the admin password, but can't open it. So you think, there is no possibility of the ciphertext md5 stored in the cookie to log in.

Of course, the above hypothetical question is not there, but we found that indeed there is a similar vulnerability exists. Only needs to be injected to read the database administrator to encrypt the ciphertext and hashcode can login the backend.

Not really sure how to characterize this vulnerability, we believe that cookie validation is not strict this name good.

Probably the process is, ecshop injection vulnerability injection out of the administrator password, the solution is not open, we pass the ciphertext and the database of other standard pieces of information to construct the cookie can be successfully landed. We to a detailed look at this loophole:

The vulnerability occurs because the cookie authentication is not strict. We first look at the verification of the landing place:

| 0 1 | if(! empty($ec_salt)) ---|---

0 2 | { ---|---

0 3 | / check whether the password is correct / ---|---

0 4 | $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt". ---|---

0 5 | "FROM" . $ecs->table('admin_user') . ---|---

0 6 | " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5(md5($_POST['password']).$ ec_salt) . "'"; ---|---

0 7 | } ---|---

0 8 | else ---|---

0 9 | { ---|---

1 0 | / check whether the password is correct / ---|---

1 1 | $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt". ---|---

1 2 | "FROM" . $ecs->table('admin_user') . ---|---

1 3 | " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5($_POST['password']) . "'"; ---|---

1 4 | } ---|---

[1] [2] [3] next