RCBlog 1.03 - Authentication Bypass

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057335 漏洞类型
发布时间 2009-01-19 更新时间 2009-01-19
漏洞平台 PHP CVSS评分 N/A
Vendor: http://noahmedling.com
Version(s): RCBlog 1.03 (May also affect earlier versions)
Credit: Danny Moules
Critical: Yes

See PUSH 55 Advisory at https://www.push55.co.uk/index.php?s=ad&id=4


By default, the application provides public access to the text file which stores the MD5 hashes of the username/password and these can be found at:


These two hashes represent the username (first) and the password (second).

By default these are 9d0aea34e0f22cff881feb82c79ce76a and e20eeabd7d13800e1c30043b269fbc86 respectively.

We need two more hashes to fake the required credentials:

One is the MD5 hash of $_SERVER['PHP_SELF'] which is in this case "/rcblog" -> ad624ca84b593d66e3685e83e4a3618e

The other is the the MD5 hash of the public IP of the user, let's say "" -> 2e9e9f7c017ee2a1645a236d182fb28c

Finally we combine the hashes into one large string and craft it in a "rcb_id" cookie in the following order:

Directory -> IP Address -> Username -> Password

Resulting in:


We are then logged in with administrative privileges.

# milw0rm.com [2009-01-19]