exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Oct 26, 2005
Authored by Chb | Site incast-security.de

aRCHILLES Newsworld versions less than 1.5.0-rc1 suffer from multiple vulnerabilities including login bypass and information disclosure. POC and workarounds included.

tags | advisory, vulnerability, info disclosure
SHA-256 | 9227656086e77f731c91ef4311c8666b9482d7c9442c448649307de93e6d155c


Change Mirror Download
aRCHILLES Newsworld < 1.5.0-rc1 Multiple Vulnerabilities

Software: aRCHILLES Newsworld
Vulnerable versions: <= 1.5.0-rc1
Type: Information Disclosure, Login Bypass
Risk: Critical
Date: 21st October 2005
Vendor: aRCHILLES (http://www.scriptworld.kh-webcenter.de)

These vulnerabilities were found by Christoph 'Chb' Burchert from http://www.incast-security.de/.

Newsworld is a simple newssystem with two access-levels and comfortable web-administration interface. It is possible to create password protected users who can post news. Newsworld saves its data in textfiles so no SQL-database is necessary.

Vulnerability 1: Information Disclosure
Vulnerable up to version 1.5.0-rc1.

Due to the fact that Newsworld saves the userdata in textfiles it is possible to access this file to gain information about users. The useraccounts are in the account.nwd and have the following format:

Until version 1.3.0:

>From version 1.3.0 up to 1.5.0-rc1:

As you can see this information should not be available. With this information you can maybe bypass the login, see Vulnerability 2 for more information concerning this.

You find the account.nwd on the following places:
1.0.1: /accound.nwd
Since 1.1.0: /data/account.nwd

Vulnerability 2: Login Bypass
Vulnerable up to version 1.3.0.

If you gained the userinformation and the version is beneath 1.3.1 you may bypass the login to gain access to the administration interface. But you cannot use the hash of the password for the login panel because the script hashs the input and compares it with the hash in the account.nwd. There is still a way to get into the administration. You can access the admin_news.php with its parameters to get in:


Vulnerability 3: Login Bypass
Vulnerable beyond version 1.3.0.

>From version 1.3.1 the script uses sessions for the administration panel. But due to the fact that the sessions are also saved in a file called session.nwd. This means you can copy the session id of an user who is currently online. The session.nwd has the following format:

SessionID#UserID#Username#PasswordHash#Timestamp for timelimit

So copy the session id and call the script as follows:
Then you may be in the administration.

Solution for Vulnerability 1:
Create a .htaccess:
"<FilesMatch \account.nwd$>
deny from all

Solution for Vulnerability 2:
You could hash the password twice beforce writing into the account.nwd. Then hash it the second time in admin_news.php (the parameter) and check it then. If somebody tries to get in through the parameters it will not work because the hash will be hashed again and then it is not the same as in the account.nwd.

Solution for Vulnerability 3:
Create a .htaccess:
"<FilesMatch \session.nwd$>
deny from all

Greets fly out to cracki, triple6 and all people from www.incast-security.de.
Login or Register to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    1 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    219 Files
  • 14
    Nov 14th
    19 Files
  • 15
    Nov 15th
    66 Files
  • 16
    Nov 16th
    38 Files
  • 17
    Nov 17th
    9 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    11 Files
  • 22
    Nov 22nd
    56 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    36 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    14 Files
  • 28
    Nov 28th
    30 Files
  • 29
    Nov 29th
    35 Files
  • 30
    Nov 30th
    25 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By