aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities

[chburchert@xxxxxx]

aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities

Software: aRCHILLES Newsworld
Vulnerable versions: <= 1.5.0-rc1
Type: Information Disclosure, Login Bypass
Risk: Critical
Date: 21st October 2005
Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de)


Credit:
=======
These vulnerabilities were found by Christoph 'Chb' Burchert from 
http://www.incast-security.de/.


Description:
============
Newsworld is a simple newssystem with two access-levels and comfortable 
web-administration interface. It is possible to create password protected users 
who can post news. Newsworld saves its data in textfiles so no SQL-database is 
necessary.



Vulnerability 1: Information Disclosure
========================================
Vulnerable up to version 1.5.0-rc1.

Due to the fact that Newsworld saves the userdata in textfiles it is possible 
to access this file to gain information about users. The useraccounts are in 
the account.nwd and have the following format:

Until version 1.3.0:
1#admin#098f6bcd4621d373cade4e832627b4f6#admin@xxxxxxxxxxxxxxx#2#N#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#

>From version 1.3.0 up to 1.5.0-rc1:
1#admin#098f6bcd4621d373cade4e832627b4f6#webmaster@xxxxxxxxxxxxxxx#2#N#Y#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#Uploadright?#

As you can see this information should not be available. With this information 
you can maybe bypass the login, see Vulnerability 2 for more information 
concerning this.

You find the account.nwd on the following places:
1.0.1: /accound.nwd
Since 1.1.0: /data/account.nwd


Vulnerability 2: Login Bypass
========================================
Vulnerable up to version 1.3.0.

If you gained the userinformation and the version is beneath 1.3.1 you may 
bypass the login to gain access to the administration interface. But you cannot 
use the hash of the password for the login panel because the script hashs the 
input and compares it with the hash in the account.nwd. There is still a way to 
get into the administration. You can access the admin_news.php with its 
parameters to get in:

http://localhost/newsworld-1.3.0/admin_news.php?action=console&id=<uid>&usr=<username>&pwd=<passwordhash>


Vulnerability 3: Login Bypass
========================================
Vulnerable beyond version 1.3.0.

>From version 1.3.1 the script uses sessions for the administration panel. But 
>due to the fact that the sessions are also saved in a file called session.nwd. 
>This means you can copy the session id of an user who is currently online. The 
>session.nwd has the following format:

3f3ea289d28b7e3472bdd1cfe5810ea0#1#admin#098f6bcd4621d373cade4e832627b4f6#1129918447
SessionID#UserID#Username#PasswordHash#Timestamp for timelimit

So copy the session id and call the script as follows:
http://localhost/newsworld-1.3.2/admin_news.php?action=console&PHPSESSID=<sessionid>
Then you may be in the administration.



Solution for Vulnerability 1:
========================================
Create a .htaccess:
"<FilesMatch \account.nwd$>
deny from all
</FilesMatch>"


Solution for Vulnerability 2:
========================================
You could hash the password twice beforce writing into the account.nwd. Then 
hash it the second time in admin_news.php (the parameter) and check it then. If 
somebody tries to get in through the parameters it will not work because the 
hash will be hashed again and then it is not the same as in the account.nwd.


Solution for Vulnerability 3:
========================================
Create a .htaccess:
"<FilesMatch \session.nwd$>
deny from all
</FilesMatch>"



Greetings:
========================================
Greets fly out to cracki, triple6 and all people from www.incast-security.de.