phpWebLog Administrator Authentication Bypass Vulnerability
BID:2047
Info
phpWebLog Administrator Authentication Bypass Vulnerability
| Bugtraq ID: | 2047 |
| Class: | Design Error |
| CVE: |
CVE-2001-0088 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 02 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | This vulnerability was first announced by João Gouveia <[email protected]> on Decemeber 2, 2000. |
| Vulnerable: |
Jason Hines phpWebLog 0.4.2 |
| Not Vulnerable: | |
Discussion
phpWebLog Administrator Authentication Bypass Vulnerability
phpWebLog is an Open Source web news management system, authored by Jason Hines. A problem exists which can allow users administrative access to the management interface.
The problem occurs in the common.inc.php script. The $CONF array in the common.inc.php script is incorrectly initialized, and transforms all values within the array to the first character of the last value, which is language. The authentication scheme uses the md5 hash of the Sitekey, which due to being contained in the $CONF variable, is set to the first letter of the language value. The authentication scheme additionally uses another md5 hash of the ROT-13 of the Sitekey as a cryptographic cookie. The combination of these problems creates a situation where it is possible for a malicious user to guess the Sitekey (normally the first letter of the language of the admin), produce a custom crafted password and cookie, and take administrative control of the message board.
phpWebLog is an Open Source web news management system, authored by Jason Hines. A problem exists which can allow users administrative access to the management interface.
The problem occurs in the common.inc.php script. The $CONF array in the common.inc.php script is incorrectly initialized, and transforms all values within the array to the first character of the last value, which is language. The authentication scheme uses the md5 hash of the Sitekey, which due to being contained in the $CONF variable, is set to the first letter of the language value. The authentication scheme additionally uses another md5 hash of the ROT-13 of the Sitekey as a cryptographic cookie. The combination of these problems creates a situation where it is possible for a malicious user to guess the Sitekey (normally the first letter of the language of the admin), produce a custom crafted password and cookie, and take administrative control of the message board.
Exploit / POC
phpWebLog Administrator Authentication Bypass Vulnerability
See discussion.
See discussion.
Solution / Fix
phpWebLog Administrator Authentication Bypass Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
phpWebLog Administrator Authentication Bypass Vulnerability
References:
References: