TUCoPS :: Web :: PHP :: bt144.txt

miniPortail (PHP) : Admin Access 




Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.aldweb.com/
Version : 1.9, 2.0, 2.1, 2.2 (and less ?)
Problem : Admin Access


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°

admin/admin.php :

-----------------------------------------------------------------------------------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");

if (md5($pass) == $mdp) {
  setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
  setcookie($portalname, "");
  header("location:../index.php");
}

$chemin = "../";
include($chemin."inc/includes.inc");

if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && 
empty($pg)) {
  include($chemin."inc/hpage.inc");
  htable($admin1, "100%");

[...]

}
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
  if (file_exists("inc/".$pg.".inc")) {
    $chemin = "../";
    include("inc/".$pg.".inc");
  }
[...]
-----------------------------------------------------------------------------------------------------------------------------


Exploit :
°°°°°°°
Set a cookie named miniPortailAdmin with for value "adminok" on 
http://[target]/admin/admin.php


Solution :
°°°°°°°°°

A patch has been created and can be found on http://www.phpsecure.info .


In admin/admin.php, replace the lines :
-------------------------------------------------------------------------------------------
[...]
$portalname = "miniPortailAdmin";
$cookiedata = "adminok";
include("mdp.php");

if (md5($pass) == $mdp) {
  setcookie($portalname, $cookiedata);
}
elseif ($logout == 1) {
  setcookie($portalname, "");
  header("location:../index.php");
}

$chemin = "../";
include($chemin."inc/includes.inc");

if (($HTTP_COOKIE_VARS[$portalname] == $cookiedata || md5($pass) == $mdp) && 
empty($pg)) {
[...]
-------------------------------------------------------------------------------------------

by :

---------------------------------------------------------------------------------------
include("mdp.php");
session_start();
$miniPortailAdmin = "";

if (md5($pass) == $mdp) {
  $miniPortailAdmin = "adminok";
  session_register("miniPortailAdmin");
}
elseif ($logout == 1) {
  session_unregister("miniPortailAdmin");
  header("location:../index.php");
}

$chemin = "../";
include($chemin."inc/includes.inc");

if ((session_is_registered("miniPortailAdmin") || md5($pass) == $mdp) && 
empty($pg)) {
---------------------------------------------------------------------------------------

and the line :

------------------------------------------------------------------------
elseif ($HTTP_COOKIE_VARS[$portalname] == $cookiedata && !empty($pg)) {
------------------------------------------------------------------------

by :

--------------------------------------------------------------------
elseif (session_is_registered("miniPortailAdmin") && !empty($pg)) {
--------------------------------------------------------------------



More Details :
°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/miniPortail.txt



frog-m@n

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://search.fr.msn.be

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH