CVE-2009-4092 – CVE Helper

README.md
Rendering markdown...
POC / diff.txt TXT
⬇ Raw GitHub ✕ Close
Only in simplog/: .DS_Store
Only in simplog/: .git
Common subdirectories: simplog/adodb and simplog_patched/adodb
Only in simplog/: cache
Common subdirectories: simplog/doc and simplog_patched/doc
diff simplog/edit.php simplog_patched/edit.php
7d6
< include_once("xmlrpc.inc");
Common subdirectories: simplog/images and simplog_patched/images
Common subdirectories: simplog/install and simplog_patched/install
diff simplog/login.php simplog_patched/login.php
21a22,23
>     require('token_gen_and_validate.php');
> 
23a26,29
>     $ts = time();
>     $token  = generate_token($ts);
>     $mysql = "";
> 
28a35,36
>         $_SESSION['token'] = $token;
>         $_SESSION['timestamp'] = $ts;
30c38
< 		exit(0);		
---
> 		exit(0);
Only in simplog_patched/: master_secret.txt
Common subdirectories: simplog/phpFlickr and simplog_patched/phpFlickr
Common subdirectories: simplog/templates and simplog_patched/templates
Only in simplog_patched/: token_gen_and_validate.php
diff simplog/user.php simplog_patched/user.php
4,5d3
<  
< require("lib.php");
6a5,6
> require("lib.php");
> require('token_gen_and_validate.php');
35c35
< } elseif($_REQUEST['act'] == "del") { 
---
> } elseif($_REQUEST['act'] == "del") {
39c39
< 			 
---
> 
42c42
< 					  
---
> 
48,56c48,59
< 
< 	if(($_REQUEST['pass1'] == "") or ($_REQUEST['pass2'] == "") or ($_REQUEST['pass1'] != $_REQUEST['pass2'])) {
< 		$err = "<font color=red><b>Passwords must match!</b></font><P>";
< 	} else {
< 		$enc = md5($_REQUEST['pass1']);
< 		$sql = "UPDATE blog_users set password='$enc' where login='$_SESSION[login]'";
< 		$res = $db->Execute($sql);
< 		echo "<b>Password updated</b><br><hr><p>\n";
< 	}
---
>     if (!validate_token($_SESSION['timestamp'], $_REQUEST['token'])) {
>         echo "<b>BAD TOKEN.</b><br>\n";
>     } else {
>         if(($_REQUEST['pass1'] == "") or ($_REQUEST['pass2'] == "") or ($_REQUEST['pass1'] != $_REQUEST['pass2'])) {
>     		$err = "<font color=red><b>Passwords must match!</b></font><P>";
>     	} else {
>     		$enc = md5($_REQUEST['pass1']);
>     		$sql = "UPDATE blog_users set password='$enc' where login='$_SESSION[login]'";
>     		$res = $db->Execute($sql);
>     		echo "<b>Password updated</b><br><hr><p>\n";
>     	}
>     }
67c70
< 	
---
> 
72c75
< 			$sql = "update blog_flickr set api_key='".$_REQUEST['key']."', email='".$_REQUEST['femail']."', password='".$_REQUEST['fpass']."' where user_id=".$res->fields['user_id'];	
---
> 			$sql = "update blog_flickr set api_key='".$_REQUEST['key']."', email='".$_REQUEST['femail']."', password='".$_REQUEST['fpass']."' where user_id=".$res->fields['user_id'];
153c156
< 	
---
> 
173a177
> <input type=hidden name=token value="<?=$_SESSION['token']?>">
180c184
< <?php 
---
> <?php
182a187
>