Open Journal Blog Authenticaion Bypassing Vulnerability ================================================= PROGRAM: Open Journal HOMEPAGE: http://www.grohol.com/downloads/oj/ VULNERABLE VERSIONS: 2.5 and below DESCRIPTION ================================================= OpenJournal is a completely Web-based interface (say bye-bye to FTP, manual archiving, etc.). Features include: automated file creation; automated index updating; editing of all files through a Web-based interface; entries with or without titles and time posted; automated archiving based on a weekly or monthly format. All done through ordinary text files and no additional perl modules needed to run it DETAILS ================================================= By feeding special crafted data into the uid parameter of the URL, an attacker can by pass the authentication process and access directly to the software's control panel. The below example will let the hacker add a new user to the software account database. http://www.test.com/cgi-bin/oj.cgi?db=default&uid=%00&userid=hacker&auth=adduser WORKAROUND ================================================= Open Journal's author (Dr John Grohol) is contacted.A patched version (2.6) is ready for downloading on the website. CREDITS ================================================= Discovered by Tri Huynh from SentryUnion DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh@zeeup.com