Telhack Security Advisory - #1 _________________________________________ Name: PVote 1.5b Impact: Minor (Content manipulation, Script admin) Date: April 18 / 2002 _________________________________________ Daniel Nyström <exceat_private> _I N F O_ PVote is a PHP voting system. It uses MySQL to hold all information about the system. Author has been notified of all three problems described in this advisory. _P R O B L E M_ A lot of the scripts in the PVote package do not properly check who the userare and therefore lets anyone add or delete polls at any time. Also, there exist a vulnerability that lets anyone change the Admin password or set it to null. _I M P A C T_ Minor, as content manipulation aint to bad after all. Just a little bit embarrasing. _E X P L O I T I N G_ These 'Add/Del' and 'Admin change pass' vulns. can all be exploited from a web browser by a basic GET requests that might look something like these: ADD http://isp.net/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4 =bad Question is the question:) o1-o4 are the options. DEL http://isp.net/pvote/del.php?pollorder=1 Pollorder is the poll 'id' number. It can be found by stepping thru poll.php to find the id as shown below: http://isp.net/pvote/poll.php?pollorder=1 and then increase pollorder (pollorder=2) and so on until you find what you want. CHANGE ADMIN PASS http://isp.net/pvote/ch_info.php?newpass=owned&confirm=owned Again we are allowed to change stuff without having to authenticate in anyway. If we just wanna fuck with the admin we may just enter this: http://isp.net/pvote/ch_info.php As it sets both newpass and confirm to "" it sets the pass to "". This thing could have been avoided by just adding a line of code that required you to submit the old pass to be able to change. _F I X E S_ Many of the scripts in this package needs some kind of secure authenticationmethod that stops users from behaving badly >:) and I think it is up to the author(s?) to fix that. But until then, I would recommend removing the package. /Daniel Nyström a.k.a excE @ Telhack 026 Inc. http://excelsi0r.darktech.org/~exce/ http://www.telhack.com <- page temporarily down.
This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 09:08:46 PDT