linux, säkerhet

107904 2003-07-17  19:46  /120 rader/ Jim Pangalos <dpangalos@linuxmail.org>
Importerad: 2003-07-17  19:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5625>
Ärende: ZH2003-11SA (security advisory): Elite News Ver. 1.0.0.0-1.0.0.3 Beta
------------------------------------------------------------


Published: 16/07/2003

Released: 16/07/2003

Name: Elite News 

Affected System(s): All versions 

Severity: High

Platform(s): Windows and Unix 

Issue: Security holes enable attackers to take administrative control

Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710

Author: Trash-80 - dpangalos@linuxmail.org



Description

************

Zone-h Security Team has discovered a serious security flaw in Elite
News  Ver.1.0.0.0-1.0.0.3 Beta.  Elite News is a news publishing
system which allows you to easily post  news and reviews without a
MySQL database.


Details

********

1.Direct access to stats.php file allows you to see Elite News 
administrator's username.

  ex: www.example.com/elitenews/stats.php

2.Fill in the administrator's username in login.html.
  Leave the password field blank.
  Click "Login".
   
  ex: www.example.com/elitenews/login.html

3.Then directly access newpost.php to post a message as an Elite News 
administrator.



Furthermore

************

login.php sets a cookie in your temporary internet files with the 
administrator's username.


Cookie content:

/elitenews
ex: UserAdmin
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
Elitenews
1
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*



newpost.php "reads" this cookie and thus it's possible to see the
"Send"  and "Reset" buttons which are not shown if you don't login
with the  administrator's username.


(Bogus) PHP Code/Location:

/elitenews/newpost.php:
------------------------------------------------------------------------

<?php
$admin = $HTTP_COOKIE_VARS["Elitenews"]; 
if ($admin != "")
{
echo "<input <input type=submit value=Send><input type=reset value=Reset>";
}
?>

------------------------------------------------------------------------

It's also possible to access other Elite News files like modify.php, 
editordelete.php etc...


Solution:

*********

The vendor has been contacted and a patch is not yet produced.


Trash-80 - www.zone-h.org operator

http://www.zone-h.org
(107904) /Jim Pangalos <dpangalos@linuxmail.org>/(Ombruten)