aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities

Software: aRCHILLES Newsworld
Vulnerable versions: <= 1.5.0-rc1
Type: Information Disclosure, Login Bypass
Risk: Critical
Date: 21st October 2005
Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de)


Credit:
=======
These vulnerabilities were found by Christoph 'Chb' Burchert from http://www.incast-security.de/.


Description:
============
Newsworld is a simple newssystem with two access-levels and comfortable web-administration interface. It is possible to create password protected users who can post news. Newsworld saves its data in textfiles so no SQL-database is necessary.



Vulnerability 1: Information Disclosure
========================================
Vulnerable up to version 1.5.0-rc1.

Due to the fact that Newsworld saves the userdata in textfiles it is possible to access this file to gain information about users. The useraccounts are in the account.nwd and have the following format:

Until version 1.3.0:
1#admin#098f6bcd4621d373cade4e832627b4f6#admin@server.home.net#2#N#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#

>From version 1.3.0 up to 1.5.0-rc1:
1#admin#098f6bcd4621d373cade4e832627b4f6#webmaster@server.home.net#2#N#Y#
UserID#Username#PasswordHash#eMail-address#Privilegies#Banned?#Uploadright?#

As you can see this information should not be available. With this information you can maybe bypass the login, see Vulnerability 2 for more information concerning this.

You find the account.nwd on the following places:
1.0.1: /accound.nwd
Since 1.1.0: /data/account.nwd


Vulnerability 2: Login Bypass
========================================
Vulnerable up to version 1.3.0.

If you gained the userinformation and the version is beneath 1.3.1 you may bypass the login to gain access to the administration interface. But you cannot use the hash of the password for the login panel because the script hashs the input and compares it with the hash in the account.nwd. There is still a way to get into the administration. You can access the admin_news.php with its parameters to get in:

http://localhost/newsworld-1.3.0/admin_news.php?action=console&id=<uid>&usr=<username>&pwd=<passwordhash>


Vulnerability 3: Login Bypass
========================================
Vulnerable beyond version 1.3.0.

>From version 1.3.1 the script uses sessions for the administration panel. But due to the fact that the sessions are also saved in a file called session.nwd. This means you can copy the session id of an user who is currently online. The session.nwd has the following format:

3f3ea289d28b7e3472bdd1cfe5810ea0#1#admin#098f6bcd4621d373cade4e832627b4f6#1129918447
SessionID#UserID#Username#PasswordHash#Timestamp for timelimit

So copy the session id and call the script as follows:
http://localhost/newsworld-1.3.2/admin_news.php?action=console&PHPSESSID=<sessionid>
Then you may be in the administration.



Solution for Vulnerability 1:
========================================
Create a .htaccess:
"<FilesMatch \account.nwd$>
deny from all
</FilesMatch>"


Solution for Vulnerability 2:
========================================
You could hash the password twice beforce writing into the account.nwd. Then hash it the second time in admin_news.php (the parameter) and check it then. If somebody tries to get in through the parameters it will not work because the hash will be hashed again and then it is not the same as in the account.nwd.


Solution for Vulnerability 3:
========================================
Create a .htaccess:
"<FilesMatch \session.nwd$>
deny from all
</FilesMatch>"



Greetings:
========================================
Greets fly out to cracki, triple6 and all people from www.incast-security.de.