lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 16 Jul 2003 21:55:00 -0000
From: Jim Pangalos <dpangalos@...uxmail.org>
To: bugtraq@...urityfocus.com
Subject: ZH2003-11SA (security advisory): Elite News Ver. 1.0.0.0-1.0.0.3 Beta




Published: 16/07/2003

Released: 16/07/2003

Name: Elite News 

Affected System(s): All versions 

Severity: High

Platform(s): Windows and Unix 

Issue: Security holes enable attackers to take administrative control

Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710

Author: Trash-80 - dpangalos@...uxmail.org



Description

************

Zone-h Security Team has discovered a serious security flaw in Elite News 
Ver.1.0.0.0-1.0.0.3 Beta. 
Elite News is a news publishing system which allows you to easily post 
news and reviews without a MySQL database.


Details

********

1.Direct access to stats.php file allows you to see Elite News 
administrator's username.

  ex: www.example.com/elitenews/stats.php

2.Fill in the administrator's username in login.html.
  Leave the password field blank.
  Click "Login".
   
  ex: www.example.com/elitenews/login.html

3.Then directly access newpost.php to post a message as an Elite News 
administrator.



Furthermore

************

login.php sets a cookie in your temporary internet files with the 
administrator's username.


Cookie content:

/elitenews
ex: UserAdmin
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
Elitenews
1
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*



newpost.php "reads" this cookie and thus it's possible to see the "Send" 
and "Reset" buttons which are not shown if you don't login with the 
administrator's username. 


(Bogus) PHP Code/Location:

/elitenews/newpost.php:
------------------------------------------------------------------------

<?php
$admin = $HTTP_COOKIE_VARS["Elitenews"]; 
if ($admin != "")
{
echo "<input <input type=submit value=Send><input type=reset value=Reset>";
}
?>

------------------------------------------------------------------------

It's also possible to access other Elite News files like modify.php, 
editordelete.php etc...


Solution:

*********

The vendor has been contacted and a patch is not yet produced.


Trash-80 - www.zone-h.org operator

http://www.zone-h.org

Powered by blists - more mailing lists