--------------------------------------------------
Owl Intranet Engine - File Disclosure Vulnerabilty
--------------------------------------------------
Date:
    5-12-03

Advisory Url:
    http://sec.angrypacket.com/advisories.phtml

Vendor Home Page:
    http://owl.sourceforge.net/

Vendor Project Page:
    http://sourceforge.net/projects/owl

Version Information:
    Owl 0.71
    
Application Information:
    Owl is a multi user document repository (knowledgebase) system written in PHP4 for publishing of files/documents onto the web for a corporation, small buisness, group of people, or just for yourself.

Extra Information:
    Owl is written in PHP4 and stores its data in a MySQL database.

Vulnerabilty Information:
    By passing a url string with a bogus username you may view the contents within the OWL interface. Using this technique you may bypass user authentication and a valid session ID.

    Within the php source to Owl there is a browse.php script which calls its library ( lib/owl.lib.php ). this php library does not check valid user and pass at this point.

Code Snippet:
    intranet/lib/owl.lib.php

    ------------------- snip ------------------
    function verify_login($username, $password) {
        global $default;
        $sql = new Owl_DB;
        $sql->query("select * from $default->owl_users_table where username = '$username' and passw
ord = '" . md5($password) . "'");
        $numrows = $sql->num_rows($sql);
        // Bozz Begin added Password Encryption above, but for now
        // I will allow admin to use non crypted password untile he
        // upgrades all users
        if ($numrows == "1") {
                while($sql->next_record()) {
                       if ( $sql->f("disabled") == 1 )
                                $verified["bit"]        = 2;
                       else
                                $verified["bit"]        = 1;
                        $verified["user"]       = $sql->f("username");
                        $verified["uid"]        = $sql->f("id");
                        $verified["group"]      = $sql->f("groupid");
                        $maxsessions            = $sql->f("maxsessions") + 1;
                }
        }
        // Remove this else in a future version
        else {
           if ($username == "admin") {
                $sql->query("select * from $default->owl_users_table where username = '$username' and password = '$password'");

    ------------------- snip ------------------

Exploit Sample:
    http://www.someplace.com/intranet/browse.php?loginname=whocares


Credits:
    Angrypacket_Security ( you know wh0 you iz ), Methodic ( w0rd up j1gg4h ! ) dont worry you'll be in KC soon too !


Url:
    http://www.sec.angrypacket.com



Extra Stuff:
    Never underestimate the skillz of a fat man.

    ~!>D



 
------------------------------------------
      Network Security Engineer
      http://www.angrypacket.com
       Christopher M Downs,RHCE
     cdowns@bigunz.angrypacket.com
    
   char ash[]="\x48\x61\x69\x6C\x20"
   "\x74\x6F\x20\x74\x68\x65\x20\x4B"
   "\x69\x6E\x67";
-------------------------------------------