Thread: Fix Proxy Listing Exploit

To fix a problem, we should know the problem first.

So after a glance on the original "admin.php" file, the problem is the authentication process, about when a user is considered as not logged in, and when a user is considered as logged in and is considered as a valid admin and therefore display normal admin menu, etc.

The main problem is the admin script is only check the cookie value ($_COOKIE['admin'])
If the script recognizes "admin" cookie, and its value is "1", you are considered as logged in.
Here is the original troublesome code

PHP Code:

if ((empty($_COOKIE['admin']) or $_COOKIE['admin']==0) and $access_flag==0){
    $l_d=1;
    if (isset($_POST['password']) and $_POST['password']==$admin_pass){
        setcookie('admin','1');
        $access_flag=1; 
    } 


So, if somewhat a user has an "admin" cookie, with "1" as the value, he is considered as the admin, no matter what (although he does not know the admin password & does not log in by the normal admin login form).
It can be performed by several ways, but i can not mention here.

So quickest fix is use session ($_SESSION) instead of cookie ($_COOKIE).

Because cookie is client side, anything inside cookie can be modified ( if the user knows how to )
But the session is somewhat "server side".

I've seen chetan's code.
At a glance, you modified the authorization code by checking the "admin" cookie value, and compare it with md5 hashed admin password.
Which means the attacker can not use simple "1" as the value,
but he should guess the admin password too

Originally Posted by xrvel

To fix a problem, we should know the problem first.

So after a glance on the original "admin.php" file, the problem is the authentication process, about when a user is considered as not logged in, and when a user is considered as logged in and is considered as a valid admin and therefore display normal admin menu, etc.

The main problem is the admin script is only check the cookie value ($_COOKIE['admin'])
If the script recognizes "admin" cookie, and its value is "1", you are considered as logged in.
Here is the original troublesome code

PHP Code:

if ((empty($_COOKIE['admin']) or $_COOKIE['admin']==0) and $access_flag==0){
    $l_d=1;
    if (isset($_POST['password']) and $_POST['password']==$admin_pass){
        setcookie('admin','1');
        $access_flag=1; 
    } 


So, if somewhat a user has an "admin" cookie, with "1" as the value, he is considered as the admin, no matter what (although he does not know the admin password & does not log in by the normal admin login form).
It can be performed by several ways, but i can not mention here.

So quickest fix is use session ($_SESSION) instead of cookie ($_COOKIE).

Because cookie is client side, anything inside cookie can be modified ( if the user knows how to )
But the session is somewhat "server side".

I've seen chetan's code.
At a glance, you modified the authorization code by checking the "admin" cookie value, and compare it with md5 hashed admin password.
Which means the attacker can not use simple "1" as the value,
but he should guess the admin password too

Awsome Buddy


Yeah I did same i changed authorization to md5 and cookie to session ....its now 1000 times hard to hack admin panel without knowing the password

Originally Posted by Freshide

You need to change it from saving in Cookies from saving in Sessions, Sessions are saved , Server side and noone can access them,

I did same in my provided admin.php

I found this exploit while looking over the code too,
All you have to do is set a cookie that says "admin=1;" and your logged in. Its friggen genious. The person who wrote that scripts needs to learn a thing or two about security. The admin panel is also vulnerable to XSS. (Cross site scripting) from the submission details.
Keldorn

Lol, very useful post Freshide.

So if we have indexes turned off, brute force scanning for a file named "193437383283.php" would take years.

Not worth the effort IMO.