dynaliens v2.0/v2.1 bypass admin authentification + XSS

2007-03-13 / 2007-03-14
Credit: sn0oPy
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79

* dynaliens v2.0/v2.1 bypass admin authentification + XSS * By : sn0oPy * Risk : high * site : http://www.spiderforce.fr.st/ * Dork : inurl:"/dynaliens" * exploit : normaly when we add "/admin" to the link, like that http://www.target.ma/dynaliens/admin we are face to face with a restricted zone area, but if we add "validlien.php3" after the admin folder we are redirected to the consol admin without authentification. the AUTH_USER is present just in/for the index : if ($auth == 0) { if(!$PHP_AUTH_USER) { Header("WWW-authenticate: basic realm=\"$domaine\""); Header("HTTP/1.0 401 Unauthorized"); // Ci dessous le code qui est affich si l'on click le bouton Cancel EnteteADMIN(); .... if ($PHP_AUTH_USER==$login && $PHP_AUTH_PW==$pwd) { if (@mysql_connect ($cfgHote, $cfgUser, $cfgPass)) { $sql = "SELECT * FROM $tb_rub"; $sql = mysql_db_query($cfgBase,$sql); $nbrub = mysql_num_rows($sql); $sql2 = "SELECT * FROM $tb_liens WHERE valid=0"; $sql2 = mysql_db_query($cfgBase,$sql2); $addlien = mysql_num_rows($sql2); $sql3 = "SELECT * FROM $tb_liens WHERE valid=1"; $sql3 = mysql_db_query($cfgBase,$sql3); $dellien = mysql_num_rows($sql3); EnteteADMIN(); br(4); echo "<center>"; DebutTableau("#FFFFFF", "1", "0", "30%"); DebutTableau("#5A6BA5", "20", "0", "100%"); echo "<center>"; echo "<font color='#FDFC65'><b>CONSOLE D'ADMINISTRATION</b></font>"; echo "</center>"; you can do it with any one of this files when the admin has forget to reedit his files: validlien.php3 supprlien.php3 supprub.php3 validlien.php3 confsuppr.php3 modiflien.php3 confmodif.php3 XSS : http://www.target.ma/dynaliens/recherche.php3 XSS : http://www.target.ma/dynaliens/ajouter.php3 * contact : sn0oPy (at) avenir-geopolitique (dot) net [email concealed] * greetz : [subzero], Avg Team(forums.avenir-geopolitique.net). * Reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2722


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top