[VulnWatch] P-News 1.16 Admin Access Vulnerability

From: Peter Winter-Smith (peter4020_at_hotmail.com)
Date: 05/24/03

  • Next message: K. K. Mookhey: "[VulnWatch] NII Advisory - Buffer Overflow in Analogx Proxy"
    To: vuln@secunia.com
    Date: Sat, 24 May 2003 09:15:47 +0000
    
    

    Admin Access Vulnerability in P-News 1.6

    Url: http://www.ppopn.net

    It is possible to gain admin access if you possess a 'Member'
    account due to a flaw in the 'p-news.php' file.
    You can inject an entire arbitrary account, including all the fields, into
    the 'Name' field, which will push all the restricting details to the far end
    of the data string, not allowing them to be included in the login process.
    Below is an example of a normal database:

    Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
    Peter|-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|

    Notice the '0' denotes an 'admin' account, and the '2' denotes a 'member'
    account.
    Injecting:

    Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-|

    Into the 'Name' field in the edit account information section will give the
    malicious user admin privileges.
    The database then looks like:

    Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
    Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-||-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|

    ================================================================

    Operating system and servicepack level:
    Windows/Linux/Unix + PHP

    Software:
    P-News 1.16 (possibly 1.17)

    Under what circumstances the vulnerability was discovered:
    Under a vulnerability search.

    If the vendor has been notified:
    The vendor has not been notified because he does not speak English, so much
    confusion may arise.

    How to contact you for further information:
    I can always be reached at peter4020@hotmail.com

    Please credit this find to:
    Peter Winter-Smith of Team UEC

    Thank you for your time,
    -Peter

    _________________________________________________________________
    Sign-up for a FREE BT Broadband connection today!
    http://www.msn.co.uk/specials/btbroadband


  • Next message: K. K. Mookhey: "[VulnWatch] NII Advisory - Buffer Overflow in Analogx Proxy"

    Relevant Pages

    • PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
      ... PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability ... a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. ... The Vulnerability Laboratory Research Team discovered a security auth protection mechanism bypass vulnerability in the PayPal Inc iOS Mobile Application. ...
      (Bugtraq)
    • [Full-disclosure] PayPal Bug Bounty #110 - Auth Bypass (Session) Vulnerability
      ... PayPal Bug Bounty #110 - Auth Bypass Vulnerability ... a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. ... PayPal will attempt to take funds for a purchase from funding sources according to a specified ...
      (Full-Disclosure)
    • PayPal Bug Bounty #110 - Auth Bypass (Session) Vulnerability
      ... PayPal Bug Bounty #110 - Auth Bypass Vulnerability ... a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. ... PayPal will attempt to take funds for a purchase from funding sources according to a specified ...
      (Bugtraq)
    • [Full-disclosure] Sony Playstation Network Account Service System - Password Reset (Session)
      ... Sony Playstation Network Account Service System - Password Reset Vulnerability ... The Vulnerability Laboratory Research Team discovered a critical remote web vulnerability in the official PSN Network Accounting Service. ... A critical Password Reset vulnerability is detected in the Sony PSN Network Web Server Auth System Account Application. ...
      (Full-Disclosure)
    • PayPal Inc #86 iOS 4.6 - Validation & Design Vulnerability
      ... Common Vulnerability Scoring System: ... a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. ... It may also charge a fee for receiving money, proportional to the amount received. ... During the transaction process of an amount i found a way to include a valid string with incorrect values to the payment procedure. ...
      (Bugtraq)