aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities
aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities
Software: aRCHILLES Newsworld
Vulnerable versions: <= 1.5.0-rc1
Type: Information Disclosure, Login Bypass
Risk: Critical
Date: 21st October 2005
Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de)
Credit:
=======
These vulnerabilities were found by Christoph 'Chb' Burchert from
http://www.incast-security.de/.
Description:
============
Newsworld is a simple newssystem with two access-levels and comfortable
web-administration interface. It is possible to create password protected users
who can post news. Newsworld saves its data in textfiles so no SQL-database is
necessary.
Vulnerability 1: Information Disclosure
========================================
Vulnerable up to version 1.5.0-rc1.
Due to the fact that Newsworld saves the userdata in textfiles it is possible
to access this file to gain information about users. The useraccounts are in
the account.nwd and have the following format:
Until version 1.3.0:
1#admin#098f6bcd4621d373cade4e832627b4f6#admin@xxxxxxxxxxxxxxx#2#N#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#
>From version 1.3.0 up to 1.5.0-rc1:
1#admin#098f6bcd4621d373cade4e832627b4f6#webmaster@xxxxxxxxxxxxxxx#2#N#Y#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#Uploadright?#
As you can see this information should not be available. With this information
you can maybe bypass the login, see Vulnerability 2 for more information
concerning this.
You find the account.nwd on the following places:
1.0.1: /accound.nwd
Since 1.1.0: /data/account.nwd
Vulnerability 2: Login Bypass
========================================
Vulnerable up to version 1.3.0.
If you gained the userinformation and the version is beneath 1.3.1 you may
bypass the login to gain access to the administration interface. But you cannot
use the hash of the password for the login panel because the script hashs the
input and compares it with the hash in the account.nwd. There is still a way to
get into the administration. You can access the admin_news.php with its
parameters to get in:
http://localhost/newsworld-1.3.0/admin_news.php?action=console&id=<uid>&usr=<username>&pwd=<passwordhash>
Vulnerability 3: Login Bypass
========================================
Vulnerable beyond version 1.3.0.
>From version 1.3.1 the script uses sessions for the administration panel. But
>due to the fact that the sessions are also saved in a file called session.nwd.
>This means you can copy the session id of an user who is currently online. The
>session.nwd has the following format:
3f3ea289d28b7e3472bdd1cfe5810ea0#1#admin#098f6bcd4621d373cade4e832627b4f6#1129918447
SessionID#UserID#Username#PasswordHash#Timestamp for timelimit
So copy the session id and call the script as follows:
http://localhost/newsworld-1.3.2/admin_news.php?action=console&PHPSESSID=<sessionid>
Then you may be in the administration.
Solution for Vulnerability 1:
========================================
Create a .htaccess:
"<FilesMatch \account.nwd$>
deny from all
</FilesMatch>"
Solution for Vulnerability 2:
========================================
You could hash the password twice beforce writing into the account.nwd. Then
hash it the second time in admin_news.php (the parameter) and check it then. If
somebody tries to get in through the parameters it will not work because the
hash will be hashed again and then it is not the same as in the account.nwd.
Solution for Vulnerability 3:
========================================
Create a .htaccess:
"<FilesMatch \session.nwd$>
deny from all
</FilesMatch>"
Greetings:
========================================
Greets fly out to cracki, triple6 and all people from www.incast-security.de.