[UNIX] PTNews Vulnerability Allows Administrator Access without Authentication
From: SecuriTeam (support_at_securiteam.com)
Date: 04/28/03
- Previous message: support_at_securiteam.com: "[UNIX] Poppassd Local Root Vulnerability and Exploit (smbpasswd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 28 Apr 2003 19:02:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
PTNews Vulnerability Allows Administrator Access without Authentication
------------------------------------------------------------------------
SUMMARY
<http://www.openbg.net/ptsite/> PT News is "a simple news system. The
Lite solution is intended for sites without an SQL database. Whole system
is written in PHP (PHP3 and PHP4 support)". A vulnerability in the product
allows to access to the administrator's functions, without authentication.
DETAILS
Vulnerable systems:
* PTNews version 1.7.7
Immune systems:
* PTNews version 1.7.8
In PTNews, administrator's functions are located in the file news.inc.
Here is the interesting piece of code:
//handle administrator functions
$files = getFileNames($newsdir);
$context = "";
if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {
createNewsEntry($newsdir);
if ("replace" == $HTTP_POST_VARS[action] &&
in_array($HTTP_POST_VARS[file], $files)) {
deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);
}
makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[delete])) {
if ("all" == $HTTP_GET_VARS[delete]) {
$context = deleteAll($newsdir,$config[newssuff]);
} else {
if (in_array($HTTP_GET_VARS[delete], $files))
deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);
}
makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[edit]) &&
in_array($HTTP_GET_VARS[edit], $files)) {
$context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);
}
As you can see, it can handle:
- News creation
- News replacement
- News deletion
- News editing
The file "news.inc" is included in the index.php file as follows:
< html>
< head>
< title>PTNews Site</title>
< /head>
< body>
<?
$newsdir = "news/";
include ("news.inc");
// handle CGI parameters
if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;
else $pageNum = $HTTP_GET_VARS[pageNum];
if (!isset($HTTP_GET_VARS[topic])) {
$topic="";
} else {
$topic=$HTTP_GET_VARS[topic];
}
$extra="";
?>
etc...
As can be seen, the File "news.inc" is needed by "index.php" (the
"searchNews" or "displayNews" functions come from there). However, as far
as news.inc goes it also includes other administrator functions, which of
course everybody can access.
Solution:
A solution would be to separate the standard news functions and the
administrator news functions.
The vendor has been informed and has issued a patch. Download ptnews 1.7.8
at: <http://www.openbg.net/ptsite/> http://www.openbg.net/ptsite/
ADDITIONAL INFORMATION
The information has been provided by <mailto:webmaster@securiteinfo.com>
scrap.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support_at_securiteam.com: "[UNIX] Poppassd Local Root Vulnerability and Exploit (smbpasswd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
