<<< Date Index >>>     <<< Thread Index >>>

PHP-Coolfile version 1.4 unauthorized access



/************************************
**---------------------------------**
**   RusH security team advisory   **
**---------------------------------**
**          www.rsteam.ru          **
**        http://rst.void.ru       **
************************************/

/***********************************/
 Product: PHP-Coolfile
 Version: 1.4
 Vuln: unauthorized access
 OffSite: http://dcom.bip.ru/coolfile/
/***********************************/
 Date: 11/11/2003
 Author: 1dt.w0lf // RsT
/***********************************/

Problem:
========
 Bug found in action.php file (string 96):

 [scip]
 if (@$action == "edit") { edit_file($file, $basename, @$filename); }
 if (@$action == "copy") { [scip] }
 if (@$action == "print_chmod") { [scip] }
 elseif ((@md5($uin) != session_id()) | (!@$uin)) { print "Access denied!"; } # 
96 string 
 [scip]

 last string (96) don't work if $action="copy" or any other...

Overview:
=========
 Any can view config.php file and get administration login and password

 Example: 
 www.site.com/php-coolfile/action.php?action=edit&file=config.php 

Solution:
=========
 1. Delete 96 string.
 2. copy this code in 23 string of action.php file
    if ((@md5($uin) != session_id()) OR (!@$uin)) { print "Access denied!"; 
exit; }

/***********************************/
 U can view RU version of this text 
 on our site http://www.rsteam.ru
/***********************************/
 Contacts:
 1dt.w0lf - idtwolf@xxxxxxxxx
 RusH team - r00t@xxxxxxxxx
/***********************************/