phpBB Academy at StarTrekGuide

[Highway of Life]

As usually, please enclose your answers in the spoiler BBCode

Code: Select all

[spoiler]your answers[/spoiler]

In this lesson, explain the various vulnerabilities found in this code, next, create a test-case that can be used to find out how an attacker would exploit those vulnerabilities.
Once a sufficient number of answers are given, I will break down the responses and the code.
Login action page:

Code: Select all

<?php

$user = $_POST['username'];
$pass = $_POST['password'];

$select_admin = mysql_query("SELECT * FROM cms_admin");

while ($dati_admin = mysql_fetch_array($select_admin))
{
    $username = $dati_admin['username'];
    $password = $dati_admin['password'];
}

if ($user == $username && $pass == $password)
{
    setcookie("login", "OK", time() + $logintime);
} 

admin/delete_page.php

Code: Select all

$admin = ($_COOKIE['login'] == 'OK') ? true : false;

if ($admin)
    $id = $_GET['id'];

    $delete = mysql_query("DELETE FROM cms_content WHERE id='$id'");

    if ($delete)
    {
        echo "" . _DELETE_PAGE_SUCCESS . "";
    }
    else
    {
        echo "" . _DELETE_PAGE_ERROR . "";
    }
} 

[Obsidian]

Spoiler:

Code: Select all

setcookie("login", "OK", time() + $logintime); 

It's quite easy to alter/add cookies if you know how...so using setcookie() can't really be trusted. Login information ought to be stored in a separate table, one that is protected from any and all outside access.

[Highway of Life]

@sTraTo, good!
Now can you explain how it can be exploited? (If not, don?t worry about it, it will be explained in fine detail when we receive a good number of answers).

[Mr_Bond Deadpool]

Spoiler:

Code: Select all

$admin = ($_COOKIE['login'] == 'OK') ? true : false; 

That is only checking that the cookie 'login' has the value of 'OK' and if it does, it assumes they are an administrator. Someone can easily create a cookie called 'login' with 'OK' as it's value and they can then gain access and delete whatever is being stored in the 'cms_content' table.

As sTraTo said, it ought to be stored in a database table where you can validate the users credentials, e.g: check to make sure it is the same IP, browser string, session id etc. against the ones being provided by the user.

[Obsidian]

@sTraTo, good!
Now can you explain how it can be exploited? (If not, don?t worry about it, it will be explained in fine detail when we receive a good number of answers).

Spoiler:

False cookie, CSRF, Cross-site-scripting, etc.

Edit: /me slaps self for forgetting the spoiler tag

[Highway of Life]

Right, but can you provide a working exploit?

[Obsidian]

Hmmm...

Spoiler:

Assuming you'd created the false cookie or whatever, and got into the admin page...

Code: Select all

if ($admin)
    $id = $_GET['id'];

    $delete = mysql_query("DELETE FROM cms_content WHERE id='$id'"); 

I see a possibility for an SQL inject via $_GET superglobal array.

[chaoskreator Jason]

Spoiler:

There is a possibility of a SQL injection with the

Code: Select all

$id = $_GET['id'];

[ Post made via Mobile Device ]

[Techie-Micheal]

Spoiler:

Technically, the problem isn't until you get to here:

Code: Select all

$admin = ($_COOKIE['login'] == 'OK') ? true : false;

if ($admin)
    $id = $_GET['id'];

as that's when the code actually gets abused.

Also, there's a syntax error. Did anybody catch it?

Code: Select all

$admin = ($_COOKIE['login'] == 'OK') ? true : false;

if ($admin)
    $id = $_GET['id'];

    $delete = mysql_query("DELETE FROM cms_content WHERE id='$id'");

    if ($delete)
    {
        echo "" . _DELETE_PAGE_SUCCESS . "";
    }
    else
    {
        echo "" . _DELETE_PAGE_ERROR . "";
    }
}

[topdown]

Spoiler:

:rotfl: That's funny, 5 posts and leave it to a pro[ Techie-Micheal ] to spot a simple syntax error {
I assume David knew it was there so I didn't count his posts. He likes leaving little things like that.