[VulnWatch] PTNews v1.7.7 - Access to administrator functions without authentification

From: scrap (webmaster@securiteinfo.com)
Date: 04/21/03

  • Next message: Matthew Murphy: "[VulnWatch] AN HTTPd Sample Script File Truncation"
    From: scrap <webmaster@securiteinfo.com>
    To: bugtraq@securityfocus.com
    Date: Mon, 21 Apr 2003 22:49:01 +0200
    
    

    PTNews v1.7.7 - Access to administrator functions without authentification

    .oO Overview Oo.
    PTNews v1.7.7 - Access to administrator functions without authentification
    Discovered on 2003, April, 7th
    Vendor: PTNews - http://www.openbg.net/ptsite/

    PT News is a simple news system. This is lite solution for sites without SQL
    database support. Whole system is written in PHP (PHP3 and PHP4 support).
    A vulnerability allows to access to the administrator functions, without
    authentification.

    .oO Details Oo.
    In PTNews v1.7.7, administrator functions are located in the file news.inc
    Here is the interesting piece of code :

    //handle administrator functions

    $files = getFileNames($newsdir);
    $context = "";

    if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {
       createNewsEntry($newsdir);
       if ("replace" == $HTTP_POST_VARS[action] &&
          in_array($HTTP_POST_VARS[file], $files)) {
          deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);
       }
       makeNewsRSS($newsdir);
    } elseif (isset($HTTP_GET_VARS[delete])) {
       if ("all" == $HTTP_GET_VARS[delete]) {
          $context = deleteAll($newsdir,$config[newssuff]);
       } else {
          if (in_array($HTTP_GET_VARS[delete], $files))
             deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);
       }
       makeNewsRSS($newsdir);
    } elseif (isset($HTTP_GET_VARS[edit]) &&
          in_array($HTTP_GET_VARS[edit], $files)) {
       $context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);
    }

    As you can see, it can handle :
    - News creation
    - News replacement
    - News deletion
    - News editing

    Now, the file "news.inc" is included in the index.php file as followed :

    <html>
    <head>
    <title>PTNews Site</title>
    </head>
    <body>
    <?
       $newsdir = "news/";
       include ("news.inc");
       // handle CGI parameters
       if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;
       else $pageNum = $HTTP_GET_VARS[pageNum];
       if (!isset($HTTP_GET_VARS[topic])) {
           $topic="";
       } else {
          $topic=$HTTP_GET_VARS[topic];
       }
       $extra="";
    ?>
    etc...

    Bingo ! File "news.inc" is needed for the public access file "index.php", for
    example for the "searchNews" or "displayNews" functions. But as far as
    news.inc includes administrators functions, everybody can access the
    administrator function...

    .oO Exploit Oo.
    Ok, that's really easy. You just have to send a specific URL to access the
    admin functions.

    Function / URL :
    Create a news / Not an URL : only posted datas. Not impossible to exploit :)
    Replace a news / Not an URL : only posted datas. Not impossible to exploit :)
    Delete all news / http://www.victim.com/ptnews/ index.php?delete=all
    Edit a news / Too difficult to exploit

    .oO Solution Oo.
    The solution is to separate the standard news functions and the administrator
    news fonctions.
    Standard news functions must go to news.inc
    Administrator news fonctions must go to admin.inc

    The vendor has been informed and solved the problem. Download ptnews 1.7.8 at:
    http://www.openbg.net/ptsite/

    .oO Discovered by Oo.
    Arnaud Jacques aka scrap
    webmaster@securiteinfo.com
    http://www.securiteinfo.com


  • Next message: Matthew Murphy: "[VulnWatch] AN HTTPd Sample Script File Truncation"

    Relevant Pages