Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

diginews.txt

🗓️ 18 Jul 2003 00:00:00Reported by Arnaud JacquesType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

Digi-news and Digi-ads 1.1 allows admin access without password, exploiting cookie authentication.

Code
`Digi-news and Digi-ads version 1.1 admin access without password  
  
.oO Overview Oo.  
Digi-news and Digi-ads version 1.1 admin access without password  
Discovered on 2003, March, 30th  
Vendor: Digi-FX  
  
Digi-news 1.1 is a PHP news editor. It allows you to easily add, edit, and   
delete news.  
Digi-ad 1.1 is a PHP ad rotator. It allows you to easily add, edit, reset, and   
delete ads.  
A vulnerability allows to access to the admin area in both script, without the   
administrator password.  
Original text is at   
http://www.securiteinfo.com/attaques/hacking/digi-news1_1.shtml  
  
  
.oO Details Oo.  
In Digi-news or Digi-ad, the admin web page is admin.php  
Here is a sample of the admin authentification in this admin.php :  
  
if (!isset($action)) {  
$action = '';  
}  
if ($action == 'auth') {  
auth();  
}  
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) &&   
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {  
login();  
exit;  
}  
Continued as admin logged...  
  
  
As you can see, the authentification scheme is based on a cookie. This cookie   
contains the user and the MD5 hashed password. But the programmer did a   
mistake :  
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) &&   
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {  
It means that "Admin is authentificated" if "user = user in the cookie" OR   
"password = password in the cookie". In english, it means you don't need the   
admin password as far as you know the admin login !  
The default admin login is "admin". If it doesn't work, try these :  
  
* Admin  
* Administrator  
* administrator  
* Root  
* root  
* the nickname of the admin (if known)  
* the surname of the admin (if known)  
* etc...  
  
  
.oO Exploit Oo.  
Ok, that's quite easy. You just have to send a handwrited cookie with   
user=admin in. You can do that with the well-known Proxomitron  
  
.oO Solution Oo.  
The solution is to replace the AND operation by a OR operation, as followed :  
if ((@$HTTP_COOKIE_VARS['user'] != $digiNews['user']) ||   
(@$HTTP_COOKIE_VARS['pass'] != md5($digiNews['pass']))) {  
The vendor has been informed and solved the problems. Download Digi-News 1.2   
and Digi-ads 1.2 at http://www.digi-fx.net/freescripts.php  
  
.oO Discovered by Oo.  
Arnaud Jacques aka scrap  
[email protected]  
http://www.securiteinfo.com  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Jul 2003 00:00Current
7.4High risk
Vulners AI Score7.4
digi-news vulnerabilityadmin accessdigi-ads exploitcookie authenticationphp script flawsecurity issue.
28