lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030514104528.3085.qmail@www.securityfocus.com>
Date: 14 May 2003 10:45:28 -0000
From: Peter Winter-Smith <peter4020@...mail.com>
To: bugtraq@...urityfocus.com
Subject: [VULNERABILITY] PHP 'poster version.two'




Hi Guys,

This is my first time posting a vulnerability since most of my private
research has been done on very small projects, many of which were
never released.

Anyways, down to the vulnerability:




Poster version.two privilege escalation:
========================================

Poster version.two is an up and coming php news posting system which has
already been put into use by many websites, mostly minor ‘blog’ style
sites, but due to its growing popularity this may soon change.

If a user has their account type set to 'normal' by the administrator, 
then
they cannot edit other peoples accounts, nor can they edit other peoples
posts, they are harmless to the site.

Sadly, there is a fairly dangerous vulnerability within the 'index.php' 
file
in the 'edit account' section of the code, which places data from the
username, password and email address fields straight into the 'mem.php'
(user password and privileges) file.

A normal 'mem.php' file looks like this:

[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-]

<?
James|password|email@...ress.com|admin|
Jack|password|email@...ress.com|normal|
?>

[-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
=-]

Where James has an administrator account, and Jack doesn't.

The normal user, Jack, could decide to change his account details to:

Username: Jack
Password: password
Email:    email@...ress.com|admin|

Notice the '|admin|' appended to the end of the address.
When Jack saved his details his account would appear as:

Jack|password|email@...ress.com|admin||normal|

The 'index.php' file would take the first four parameters as the account
details and type, then seeing that parameter four was '|admin|', it
would assign Jack administrator privilidges.

Jack could then delete all the posts and accounts on the site when he 
next logged in.

Although I do not know PHP very well, this is a very common 
vulnerability, or so
I have found, and this should be addressed within all sorts of 
applications
as soon as possible!

Thank-you for reading this,

-Peter Winter-Smith

[About Me]

I am 16 years old, I study at Christ Church high school, in London, 
England, and
I am taking my GCSEs this year.
My personal interests are Visual Basic and 16 bit assembly language 
programming.
I usually don't release vulnerabilites unless they need wide-spread 
attention.

Please feel free to contact me at:
Email: peter4020@...mail.com
Aim: GenericCode


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ