Beginner Code Review(Part 1)

Objective

High-Level Summary

  • Hard-coded credentials which reveal the database credentials and admin user hash.
  • Confidential files are exposed so it is possible to view the admin user hash as an external unauthenticated user.
  • Unrestricted file upload allows an attacker to upload malicious files. The sanitization on the server side is insufficient and it can potentially be exploited to gain access to the server.
  • Broken Logic on the authentication of the application. This includes two vulnerabilities that exploit the authentication tokens.

Vulnerabilities

  1. Unrestricted File Upload
addfile function in user.php
jwt.php — when creating a jwt, special characters can affect the values of the token.
jwt.php — when verifying a jwt, if no signature if provided, the signature will not be checked.
  • See Appendix A for proof of concept code.
register function in user.php contains no sanitization
db.php contains the username and password.
deploy.sql contains the admin credentials hard coded.
The function to get files in user.php
Proof of concept code.
register.php setting the cookies.
login.php setting the cookie.
index.php — there are no custom error messages so any errors will output excess information.
user.php — Md5 is used for storing the password when registering.
Register.php — Error messages for the user already existing.
Login.php — The code for the login page.
The signing function on jwt.php

What’s next

Appendix A

jwtverify.php
createjwt.php
No signature but the function has no returned an invalid signature

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store