Vulnerability in HITB's code and possibly Thatware 0.5.3 (confirmed)
I got an e-mail from Koen yesterday night alerting me to 2 security vulnerabilities in HITB's code. Much love and respect to Koen for alerting me to the hole and not turning malicious with the information he found. It's certainly nice to know that there are still plenty of white hats out there hacking for hacking sake.
Details:
1.) The first hole is in config.php -- the vulnerability exsists through the use of $root_path. Basically removing $root_path and specifying the complete directory location to the db_settings.php will solve this potential for exploit.
2.) The second bug was in auth.inc.php -- this bug however I think will only affect users of the older version. The problem lies on the following lines in the file:
$admin = base64_decode($user);
$admin = explode(":", $admin);
The lines above should be changed to this:
$admin = addslashes(base64_decode($user));
$admin = explode(":", $admin);
Now I should note that HITB runs a mangled version of Thatware, and while the version that we're using is indeed rather old, I'm not sure if the bugs found affect the current latest release of Thatware (version 0.5.3) -- I'm guessing at least the one bug in config.php would probrably still be vulnerable, but I haven't checked.