lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 30 Jul 2004 00:39:59 -0000
From: jonathan tough <j@...impressions.com>
To: bugtraq@...urityfocus.com
Subject: WpQuiz Gain Admin Rightd Exploit found




Ok so here is what I found

Authors website wireplastik.com (currently down)
php script I found exploit in wpquiz  version 2.60b8 ( also tested on 2.60b 1-7)

 

Exploit: by default wpquiz comes with a folder called extras. This folder is not password protected nor does it require any sort of authentication to gain entry.

 

The extras folder contains php version testing scripts, sql testing scripts, and most importantly adminrestore.php

So here is how the exploit works. 

Do a search on Google for wpquiz (you will find over 500 results)

Test to see if the site has the extras folder
example http://site-to-exploit.com/wpquiz/extras/adminrestore.php

If this page comes up the site is vulnerable

Now you must register an account on the site by simply registering
login once then log out
then go to http://sitetoexploit.com/wpquiz/extras/adminrestore.php

You can scroll down until you find your username and select it, then hit the button “Restore Admin Status”
You are now an ADMIN of the wpquiz php script 

you can now login and access the admin control panel; you will have complete control over the quiz at this point. You can also edit user’s accounts; change users email addresses then request a lost password. You then have that user’s password that could possibly lead to more problems such as logging into user’s email that was used to register with wpquiz and gain further access

Fix- delete the extras directory, password protect the extras directory or rename the extras folder

Please give me full credits for this exploit find. I have tried to contact the author but the site is down and has been for a while
The script seems to be unsupported at this point. 

Credits :

Jonathan Tough
Exploit found 7.28.04
email jtough@...il.com
www.eyeimpressions.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ