8< ----------------------------------------------------------------------------


SIPS vulnerability:

When a user registrates his name is used to create a directory without
being checked first. This allows attackers to create directories anywhere
on the system with the privileges of the webserver which is (or should
be) nobody.


<problem code>

mkdir($config["sipssys"] ."/users/$username[0]/$username", 0777);
touch($config["sipssys"] ."/users/$username[0]/$username/user");
                                                   ^
						   |
	That variable doesn't get validated   -----

</problem code>

The second problem is that the cookie stored on the machine after the
user loged in is his password but then md5 encrypted

<problem code>

$cryptpass = md5($password);

and

setcookie("user", "$username:$cryptpass", time() + ($config["cookietime"]
* 86400));
 
</problem code>


A user with the username test and the password test will have a cookie
like this

                 test%3A098f6bcd4621d373cade4e832627b4f6

                test  %3A 098f6bcd4621d373cade4e832627b4f6   

                 ^^^   ^     ^^^^^
             username  : encrypted password 



The SIPS developers released a new/fixed version (0.3.0) that can be
download from there web site: http://sips.sourceforge.net/ 

zillion

http://www.safemode.org
http://cgi-security.org

8< -----------------------------------------------------------------