Beginner Code Review(Part 1)

Objective

The objective of this task was to perform a code review against a PHP application publicly available on Pentesterlab’s public repository. This review was done in order to practice a methodical approach in conducting code reviews to ensure all code is covered and inspected thoroughly.

High-Level Summary

I tasked myself with performing a code review of the PHP application. The focus of this test was to find potential vulnerabilities on the application without running the application. The overall objective was to identify potential vulnerabilities and report the findings in this blog.

  • Confidential files are exposed so it is possible to view the admin user hash as an external unauthenticated user.
  • Unrestricted file upload allows an attacker to upload malicious files. The sanitization on the server side is insufficient and it can potentially be exploited to gain access to the server.
  • Broken Logic on the authentication of the application. This includes two vulnerabilities that exploit the authentication tokens.

Vulnerabilities

This part of the blog will highlight the individual vulnerabilities. Not all of these may result in privilege escalation but they can still be useful to a malicious adversary.

addfile function in user.php
jwt.php — when creating a jwt, special characters can affect the values of the token.
jwt.php — when verifying a jwt, if no signature if provided, the signature will not be checked.
register function in user.php contains no sanitization
db.php contains the username and password.
deploy.sql contains the admin credentials hard coded.
The function to get files in user.php
Proof of concept code.
register.php setting the cookies.
login.php setting the cookie.
index.php — there are no custom error messages so any errors will output excess information.
user.php — Md5 is used for storing the password when registering.
Register.php — Error messages for the user already existing.
Login.php — The code for the login page.
The signing function on jwt.php

What’s next

In part 2 of this series will describe how a malicious adversary can combine these vulnerabilities to affect the confidentiality, integrity and availability of the application.

Appendix A

To create these PoC files I extracted the relevant functions and modified them so they could work by themselves.

jwtverify.php
createjwt.php
No signature but the function has no returned an invalid signature

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store