TextPortal Default Password Vulnerability

From: bugtracklist.fm (bugtracklistat_private)
Date: Fri May 23 2003 - 15:15:52 PDT

Next message: Over_G: "PHP source code injection in BLNews"

Previous message: UkR security team™: "Some problems in Privatefirewall 3.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TextPortal Default Password Vulnerability

Advisory ID:                  B$H-2003:001
Advisory URL:               http://www.tar.hu/bsh/reports/bsh-2003-001.txt
Date:                              2003.05.22.
Original Advisory Date:   2003.05.10.
Discovery date:               2003.05.10.
Type:                              Vulnerability / Exploit
Product:                          TextPortal
Affected versions:            All (as of discovery date)
Fixed Version:                 None
Vendor notified:               2003.05.10.
Vendor response:             2003.05.16.
Product/vendor URL:       http://www.textportal.hu/

Author:                           B$H
Author info:                     bshat_private / http://www.tar.hu/bsh/
Greetz to :                       Sigterm, Dodge Viper, Geo, DVHC

------------------------------------------------------
Product description:
------------------------------------------------------

TextPortal  is  a  text-based  PHP  portal  system  with  forum,  voitig,
user
registration,  etc. To  use this  portal system  you need  only php  on the
web
server.

------------------------------------------------------
Vulnerability:
------------------------------------------------------

The default admin  password is: admin.  The administrators change  this
always.
You can change the admin passord at admin-menu -> admin passwor menu item.
The
admin password is in admin_pass.php :

<?php
god1¤t.gEaVtS1Uh86
god1-tmp¤d.9qw2fVYDNh2god2¤ijv.8ZKH0lW8s
god2¤3JVqJsoQ4Dph2

What is  good2? Good  2 is  also an  administrator (editor). This  user
hasn't
got full controll, but you can change many things:

- Voting
- Articles
- Downloads
- Links
- Gallery
- Forum
- Visitor's Book
- Statistics

The portal use the  crypt php function to  the passwords. So you  can crack
this
password with any  UNIX password cracker.   The result: 3JVqJsoQ4Dph2:12345.
;)
The passwor is:  12345. Many people  don't know this  and they don't  change
the
password.

------------------------------------------------------
Exsploit:
------------------------------------------------------

http://[target]/admin.php
Target 12345 and Enter. ;)

-----------------------------------------------------
Solution:
------------------------------------------------------

Chenge  the  editor password:  admin  menu >  admin  password >  change
editor
password. Or write  the crypted password  to the admin_pass.php  after the
part:
"god2¤".

B$H
bshat_private
www.tar.hu/bsh

2003.05.22.

Next message: Over_G: "PHP source code injection in BLNews"
Previous message: UkR security team™: "Some problems in Privatefirewall 3.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 24 2003 - 12:05:37 PDT