ZH2003-11SA (security advisory): Elite News Ver. 1.0.0.0-1.0.0.3 Beta

From: Jim Pangalos (dpangalosat_private)
Date: Wed Jul 16 2003 - 14:55:00 PDT

Next message: Jackson, Chris: "RE: Windows Update - Unsafe ActiveX control"

Previous message: KF: "SRT2003-07-16-0358 - bru has buffer overflow and format issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Published: 16/07/2003 Released: 16/07/2003 Name: Elite News Affected System(s): All versions Severity: High Platform(s): Windows and Unix Issue: Security holes enable attackers to take administrative control Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710 Author: Trash-80 - dpangalosat_private Description ************ Zone-h Security Team has discovered a serious security flaw in Elite News Ver.1.0.0.0-1.0.0.3 Beta. Elite News is a news publishing system which allows you to easily post news and reviews without a MySQL database. Details ******** 1.Direct access to stats.php file allows you to see Elite News administrator's username. ex: www.example.com/elitenews/stats.php 2.Fill in the administrator's username in login.html. Leave the password field blank. Click "Login". ex: www.example.com/elitenews/login.html 3.Then directly access newpost.php to post a message as an Elite News administrator. Furthermore ************ login.php sets a cookie in your temporary internet files with the administrator's username. Cookie content: /elitenews ex: UserAdmin www.example.com/elitenews/ 1536 2873507712 29576153 2673509856 29576139 * Elitenews 1 www.example.com/elitenews/ 1536 2873507712 29576153 2673509856 29576139 * newpost.php "reads" this cookie and thus it's possible to see the "Send" and "Reset" buttons which are not shown if you don't login with the administrator's username. (Bogus) PHP Code/Location: /elitenews/newpost.php: ------------------------------------------------------------------------ <?php $admin = $HTTP_COOKIE_VARS["Elitenews"]; if ($admin != "") { echo "<input <input type=submit value=Send><input type=reset value=Reset>"; } ?> ------------------------------------------------------------------------ It's also possible to access other Elite News files like modify.php, editordelete.php etc... Solution: ********* The vendor has been contacted and a patch is not yet produced. Trash-80 - www.zone-h.org operator http://www.zone-h.org

Next message: Jackson, Chris: "RE: Windows Update - Unsafe ActiveX control"
Previous message: KF: "SRT2003-07-16-0358 - bru has buffer overflow and format issues"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 10:46:49 PDT