lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200304212249.01277.webmaster@securiteinfo.com>
Date: Mon, 21 Apr 2003 22:49:01 +0200
From: scrap <webmaster@...uriteinfo.com>
To: bugtraq@...urityfocus.com
Subject: PTNews v1.7.7 - Access to administrator functions without authentification


PTNews v1.7.7 - Access to administrator functions without authentification


.oO  Overview Oo.
PTNews v1.7.7 - Access to administrator functions without authentification
Discovered on 2003, April, 7th
Vendor: PTNews - http://www.openbg.net/ptsite/

PT News is a simple news system. This is lite solution for sites without SQL 
database support. Whole system is written in PHP (PHP3 and PHP4 support).
A vulnerability allows to access to the administrator functions, without 
authentification. 


.oO  Details Oo.
In PTNews v1.7.7, administrator functions are located in the file news.inc
Here is the interesting piece of code :

//handle administrator functions

$files = getFileNames($newsdir);
$context = "";

if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {
   createNewsEntry($newsdir);
   if ("replace" == $HTTP_POST_VARS[action] &&
      in_array($HTTP_POST_VARS[file], $files)) {
      deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);
   }
   makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[delete])) {
   if ("all" == $HTTP_GET_VARS[delete]) {
      $context = deleteAll($newsdir,$config[newssuff]);
   } else {
      if (in_array($HTTP_GET_VARS[delete], $files))
         deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);
   }
   makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[edit]) &&
      in_array($HTTP_GET_VARS[edit], $files)) {
   $context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);
}


As you can see, it can handle : 
- News creation
- News replacement
- News deletion
- News editing


Now, the file "news.inc" is included in the index.php file as followed :

<html>
<head>
<title>PTNews Site</title>
</head>
<body>
<?
   $newsdir = "news/";
   include ("news.inc");
   // handle CGI parameters
   if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;
   else $pageNum = $HTTP_GET_VARS[pageNum];
   if (!isset($HTTP_GET_VARS[topic])) {
       $topic="";
   } else {
      $topic=$HTTP_GET_VARS[topic];
   }
   $extra="";
?>
etc...


Bingo ! File "news.inc" is needed for the public access file "index.php", for 
example for the "searchNews" or "displayNews" functions. But as far as 
news.inc includes administrators functions, everybody can access the 
administrator function...

.oO  Exploit Oo.
Ok, that's really easy. You just have to send a specific URL to access the 
admin functions.

Function / URL :
Create a news / Not an URL : only posted datas. Not impossible to exploit :)
Replace a news / Not an URL : only posted datas. Not impossible to exploit :)
Delete all news / http://www.victim.com/ptnews/ index.php?delete=all
Edit a news / Too difficult to exploit

.oO  Solution Oo.
The solution is to separate the standard news functions and the administrator 
news fonctions.
Standard news functions must go to news.inc
Administrator news fonctions must go to admin.inc

The vendor has been informed and solved the problem. Download ptnews 1.7.8 at:
http://www.openbg.net/ptsite/


.oO  Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@...uriteinfo.com
http://www.securiteinfo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ