Owl_Intranet_Engine.txt

2003-05-15T00:00:00
ID PACKETSTORM:31134
Type packetstorm
Reporter Christopher M Downs
Modified 2003-05-15T00:00:00

Description

                                        
                                            `--------------------------------------------------  
Owl Intranet Engine - File Disclosure Vulnerabilty  
--------------------------------------------------  
Date:  
5-12-03  
  
Advisory Url:  
http://sec.angrypacket.com/advisories.phtml  
  
Vendor Home Page:  
http://owl.sourceforge.net/  
  
Vendor Project Page:  
http://sourceforge.net/projects/owl  
  
Version Information:  
Owl 0.71  
  
Application Information:  
Owl is a multi user document repository (knowledgebase) system written in PHP4 for publishing of files/documents onto the web for a corporation, small buisness, group of people, or just for yourself.  
  
Extra Information:  
Owl is written in PHP4 and stores its data in a MySQL database.  
  
Vulnerabilty Information:  
By passing a url string with a bogus username you may view the contents within the OWL interface. Using this technique you may bypass user authentication and a valid session ID.  
  
Within the php source to Owl there is a browse.php script which calls its library ( lib/owl.lib.php ). this php library does not check valid user and pass at this point.  
  
Code Snippet:  
intranet/lib/owl.lib.php  
  
------------------- snip ------------------  
function verify_login($username, $password) {  
global $default;  
$sql = new Owl_DB;  
$sql->query("select * from $default->owl_users_table where username = '$username' and passw  
ord = '" . md5($password) . "'");  
$numrows = $sql->num_rows($sql);  
// Bozz Begin added Password Encryption above, but for now  
// I will allow admin to use non crypted password untile he  
// upgrades all users  
if ($numrows == "1") {  
while($sql->next_record()) {  
if ( $sql->f("disabled") == 1 )  
$verified["bit"] = 2;  
else  
$verified["bit"] = 1;  
$verified["user"] = $sql->f("username");  
$verified["uid"] = $sql->f("id");  
$verified["group"] = $sql->f("groupid");  
$maxsessions = $sql->f("maxsessions") + 1;  
}  
}  
// Remove this else in a future version  
else {  
if ($username == "admin") {  
$sql->query("select * from $default->owl_users_table where username = '$username' and password = '$password'");  
  
------------------- snip ------------------  
  
Exploit Sample:  
http://www.someplace.com/intranet/browse.php?loginname=whocares  
  
  
Credits:  
Angrypacket_Security ( you know wh0 you iz ), Methodic ( w0rd up j1gg4h ! ) dont worry you'll be in KC soon too !  
  
  
Url:  
http://www.sec.angrypacket.com  
  
  
  
Extra Stuff:  
Never underestimate the skillz of a fat man.  
  
~!>D  
  
  
  
  
------------------------------------------  
Network Security Engineer  
http://www.angrypacket.com  
Christopher M Downs,RHCE  
cdowns@bigunz.angrypacket.com  
  
char ash[]="\x48\x61\x69\x6C\x20"  
"\x74\x6F\x20\x74\x68\x65\x20\x4B"  
"\x69\x6E\x67";  
-------------------------------------------  
`