miniPortail (PHP) : Admin Access

2003-05-11T00:00:00
ID SECURITYVULNS:DOC:4508
Type securityvulns
Reporter Securityvulns
Modified 2003-05-11T00:00:00

Description

Informations : °°°°°°°°°°°°°° Language : PHP Website : http://www.aldweb.com/ Version : 1.9, 2.0, 2.1, 2.2 (and less ?) Problem : Admin Access

PHP Code/Location : °°°°°°°°°°°°°°°°°°°

admin/admin.php :


[...] $portalname = "miniPortailAdmin"; $cookiedata = "adminok"; include("mdp.php");

if (md5($pass) == $mdp) { setcookie($portalname, $cookiedata); } elseif ($logout == 1) { setcookie($portalname, ""); header("location:../index.php"); }

$chemin = "../"; include($chemin."inc/includes.inc");

if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && empty($pg)) { include($chemin."inc/hpage.inc"); htable($admin1, "100%");

[...]

} elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) { if (file_exists("inc/".$pg.".inc")) { $chemin = "../"; include("inc/".$pg.".inc"); } [...]


Exploit : °°°°°°° Set a cookie named miniPortailAdmin with for value "adminok" on http://[target]/admin/admin.php

Solution : °°°°°°°°°

A patch has been created and can be found on http://www.phpsecure.info .

In admin/admin.php, replace the lines :

[...] $portalname = "miniPortailAdmin"; $cookiedata = "adminok"; include("mdp.php");

if (md5($pass) == $mdp) { setcookie($portalname, $cookiedata); } elseif ($logout == 1) { setcookie($portalname, ""); header("location:../index.php"); }

$chemin = "../"; include($chemin."inc/includes.inc");

if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && empty($pg)) { [...]


by :


include("mdp.php"); session_start(); $miniPortailAdmin = "";

if (md5($pass) == $mdp) { $miniPortailAdmin = "adminok"; session_register("miniPortailAdmin"); } elseif ($logout == 1) { session_unregister("miniPortailAdmin"); header("location:../index.php"); }

$chemin = "../"; include($chemin."inc/includes.inc");

if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) && empty($pg)) {


and the line :


elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {

by :


elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) {

More Details : °°°°°°°°°°°° In French : http://www.frog-man.org/tutos/miniPortail.txt

frog-m@n


MSN Search, le moteur de recherche qui pense comme vous !
http://search.fr.msn.be