← Advisories

Kemana Directory 1.5.6 (qvc_init()) Cookie Poisoning CAPTCHA Bypass Exploit

Low
Advisory ID
ZSL-2014-5175
Release Date
25 March 2014
Vendor
C97net - http://www.c97.net
Affected Version
1.5.6
CVE
N/A
Tested On
Microsoft Windows 7 Professional SP1 (EN), Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.

Description

The CAPTCHA function for Kemana Directory is prone to a security bypass vulnerability that occurs in the CAPTCHA authentication routine. The function 'qvc_init()' in '/includes/function.php' sets a cookie with a SHA1-based hash value in the Response Header which can be replaced by a random SHA1 computed hash value using Cookie Poisoning attack. Successful exploit will allow attackers to bypass the CAPTCHA-based authentication challenge and perform brute-force attacks.

/includes/function.php: ------------- 1774: /*------- ( QVC - VISUAL CONFIRMATION FUNCTIONS aka CAPTCHA ) ------- */ 1775: 1776: 1777: // qVC - the simplest visual confirmation engine yet 1778: // use qvc_init() --> <img src="visual.php"> --> compare qvc_value() == sha1 (strtolower($user_input) )? 1779: // qVC uses db to communicate with visual.php, then set user cookie using sha1, then db not used! 1780: // $num = either 3 or 5, 3 => only 0-9, 5 => 0-F 1781: function qvc_init ($num = 5) 1782: { 1783: if ($num == 3) 1784: $value = mt_rand (100, 999); 1785: else 1786: $value = random_str (5); 1787: ip_config_update ('visual', $value); 1788: setcookie ('qvc_value', sha1 ($value), 0, '/'); 1789: } 1790: 1791: 1792: // return qvc value (it's sha1'd, so be sure to compare with sha1'd value) 1793: function qvc_value () 1794: { 1795: $correct_val = cookie_param ('qvc_value'); 1796: 1797: // block browser BACK 1798: qvc_init (); 1799: return $correct_val; 1800: }
Proof of Concept
ketchup.plTXT
Disclosure Timeline
07.03.2014Vulnerability discovered.
10.03.2014Vendor contacted.
11.03.2014Vendor responds asking more details.
11.03.2014Sent details to the vendor.
12.03.2014Working with the vendor.
13.03.2014Vendor working on a new version.
21.03.2014Asked vendor for status update.
21.03.2014Vendor promises patch release in April.
25.03.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/125872
[2]http://www.exploit-db.com/exploits/32510
[3]http://cxsecurity.com/issue/WLB-2014030200
[4]http://www.securityfocus.com/bid/66436
[5]http://www.c97.net/news/security-issues-with-qengine-family.php
[6]http://osvdb.org/show/osvdb/105110
Changelog
25.03.2014Initial release
26.03.2014Added reference [1], [2] and [3]
27.03.2014Added reference [4] and [5]
31.03.2014Added reference [6]