Easy Guestbook Vulnerabilities
From: Arek Suroboyo (ar3su@yahoo.com)Date: 07/27/02
- Previous message: Bela Lubkin: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Jul 2002 12:58:55 -0700 (PDT) From: Arek Suroboyo <ar3su@yahoo.com> To: bugtraq@securityfocus.com
AresU Advisory
19/July/2002
Easy Guestbook Vulnerabilities
Severity : High (Possible to edit member
homepage)
Systems Affected: Easy Guestbook v1.0
Vendor URL : http://www.easyscripts.co.uk
Vuln Type : It does not use Access Validation to
delete the entries and login as Admin Control.
Author : AresU
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa,
nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang
Adv.URL :
http://bosen.net/advisories/aresu-adv.002.txt
Summary
=======
1) Everyone can delete the entries and login as Admin
Control.
2) Everyone can reconfigure Guestbook when they open
config.cgi and change Admin Password.
Solution
========
1) Add Access Validation on "delete_message" function
and "start" function.
Add admin.cgi with this code:
sub login_verify
{
chomp($FORM{'login_username'});
chomp($FORM{'login_password'});
if (!($FORM{'login_username'} eq $username &&
$FORM{'login_password'} eq $password))
{
dienice("Sorry, but you have entered an
invalid username or password. Please press the 'back'
button on your browser to return to the Login
Screen.");
}
}
And on the first line of "delete_message" function
and "start" function add this:
&login_verify;
And on the "start" function add this code in the
<FORM>:
<input type="hidden" name="login_username"
value="$FORM{'login_username'}">
<input type="hidden" name="login_password"
value="$FORM{'login_password'}">
2) Delete config.cgi after you finish configure the
Guestbook.
Acknowledgments
===============
Vulnerability discovery, exploit code, and advisory by
AresU
Vendor Response
===============
Vendor has been contacted for about 10 days but they
still didn't fix yet.
Exploit Code
============
Change action in the html form.
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
- application/x-zip-compressed attachment: easyguestbook.zip
- Previous message: Bela Lubkin: "Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
