[VulnWatch] P-News 1.16 Admin Access Vulnerability

• Previous message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vuln@secunia.com
Date: Sat, 24 May 2003 09:15:47 +0000

Admin Access Vulnerability in P-News 1.6

Url: http://www.ppopn.net

It is possible to gain admin access if you possess a 'Member'
account due to a flaw in the 'p-news.php' file.
You can inject an entire arbitrary account, including all the fields, into
the 'Name' field, which will push all the restricting details to the far end
of the data string, not allowing them to be included in the login process.
Below is an example of a normal database:

Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|

Notice the '0' denotes an 'admin' account, and the '2' denotes a 'member'
account.
Injecting:

Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-|

Into the 'Name' field in the edit account information section will give the
malicious user admin privileges.
The database then looks like:

Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-||-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|

================================================================

Operating system and servicepack level:
Windows/Linux/Unix + PHP

Software:
P-News 1.16 (possibly 1.17)

Under what circumstances the vulnerability was discovered:
Under a vulnerability search.

If the vendor has been notified:
The vendor has not been notified because he does not speak English, so much
confusion may arise.

How to contact you for further information:
I can always be reached at peter4020@hotmail.com

Please credit this find to:
Peter Winter-Smith of Team UEC

Thank you for your time,
-Peter

_________________________________________________________________
Sign-up for a FREE BT Broadband connection today!
http://www.msn.co.uk/specials/btbroadband

• Previous message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 05.22.03: Authentication Bypass in iisPROTECT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [VULNERABILITY] PHP poster version.two ... This is my first time posting a vulnerability since most of my private ... If a user has their account type set to 'normal' by the administrator, ... Where James has an administrator account, and Jack doesn't. ... (Bugtraq) Re: I hate disgruntled employees! ... since I dont have admin access then I can which means Email, ... network drives are out of the question and the IT guy is ... You can try logging on with the built-in Administrator account ... Here's how to logon as Administrator in XP Pro. ... (microsoft.public.windowsxp.security_admin) [VulnWatch] Vulnerability in poster version.two ... This is my first time posting a vulnerability since most of my private ... If a user has their account type set to 'normal' by the administrator, ... Where James has an administrator account, and Jack doesn't. ... (VulnWatch) [UNIX] Admin Access Vulnerability in P-News (Records Injection) ... housewarming rates on automated network vulnerability ... 'Member' privileges to gain elevated privileges by inserting an additional ... account due to a flaw in the 'p-news.php' file. ... Below is an example of a normal database: ... (Securiteam) RE: about SQL injection ... That is a very common vulnerability. ... That means a hacker and retrieve almost everything that the account that you ... Earn your MS in Information Security ONLINE ... (Security-Basics)