webspell40-multi.txt

`WebSpell Authentication Bypass and arbitrary code execution  
  
Vendor : WebSpell  
URL : http://www.webspell.org/  
Version : All  
Risk : SQL Injection, unchecked file upload  
  
Description:  
webSPELL is a free Content Management System (CMS) for clans and gaming communities, providing all needed features like forums,   
gallery, clanwar system. Because of some serious flaws in the login and cookie-handling function, login can be easily bypassed and   
arbitrary php code executed via uploading a php file.  
Notes: magic_quotes_gpc() has to be set OFF  
  
Details:  
Due to an SQL Injection via the sended 'ws_auth' cookie, WebSpell is vulnerable to an Authentication Bypass.   
  
$login_per_cookie = false;  
  
if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {  
  
$login_per_cookie = true;  
  
$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];  
  
}  
  
  
  
systeminc('login');  
  
[...]  
  
if(stristr($_SESSION['ws_auth'], "userid")===FALSE){  
  
$authent = explode(":", $_SESSION['ws_auth']);  
  
$ws_user = $authent[0];  
  
$ws_pwd = $authent[1];  
  
$check = safe_query("SELECT userID FROM ".PREFIX."user WHERE userID='$ws_user' AND password='$ws_pwd'");  
  
while($ds=mysql_fetch_array($check)) {  
  
$loggedin=true;  
  
$userID=$ds['userID'];  
  
}  
}  
  
As seen in the above codee, the Cookie 'ws_auth' is divided into two parts: The userid and the password.  
With the following cookie you can bypass this function and login as admin(userid 1):  
  
1;' OR '1'='1  
  
When 'logged in' an PHP-file with arbitrary code can be uploaded via the "add squad" feature.  
  
Solution:  
Use mysql_real_escape_String() or addslashes() for the safe_query()  
  
Credits:  
Robin Verton < r.verton at gmail com>  
  
`