Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16157
HistoryFeb 23, 2007 - 12:00 a.m.

WebSpell > 4.0 Authentication Bypass and arbitrary code execution

2007-02-2300:00:00
vulners.com
39

WebSpell Authentication Bypass and arbitrary code execution

Vendor      : WebSpell
URL         : http://www.webspell.org/
Version     : All
Risk        : SQL Injection, unchecked file upload

Description:
webSPELL is a free Content Management System (CMS) for clans and gaming communities, providing all needed features like forums,
gallery, clanwar system. Because of some serious flaws in the login and cookie-handling function, login can be easily bypassed and
arbitrary php code executed via uploading a php file.
Notes: magic_quotes_gpc() has to be set OFF

Details:
Due to an SQL Injection via the sended 'ws_auth' cookie, WebSpell is vulnerable to an Authentication Bypass.

$login_per_cookie = false;

if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {

$login_per_cookie = true;

$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];

}

systeminc('login');

[…]

if(stristr($_SESSION['ws_auth'], "userid")===FALSE){

$authent = explode(":", $_SESSION['ws_auth']);

       $ws_user = $authent[0];

      $ws_pwd = $authent[1];

       $check = safe_query("SELECT userID FROM ".PREFIX."user WHERE userID='$ws_user' AND password='$ws_pwd'");

      while($ds=mysql_fetch_array($check)) {

         $loggedin=true;

        $userID=$ds['userID'];

  }

}

As seen in the above codee, the Cookie 'ws_auth' is divided into two parts: The userid and the password.
With the following cookie you can bypass this function and login as admin(userid 1):

1;' OR '1'='1

When 'logged in' an PHP-file with arbitrary code can be uploaded via the "add squad" feature.

Solution:
Use mysql_real_escape_String() or addslashes() for the safe_query()

Credits:
Robin Verton < r.verton at gmail com>