More Critical Vulnerabilities In PHP Topsites
From: JeiAr (jeiar@kmfms.com)
Date: 01/21/03
- Previous message: John Howie: "RE: Attacking EFS through cached domain logon credentials"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Jan 2003 17:00:53 -0000 From: JeiAr <jeiar@kmfms.com> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Version: All
Script: edit.php
vendor: itop10.net
Type: Code Injection/Execution Vulnerability
---------------------------------------------------------------------------
Another critical vulnerability has been found by the CyberArmy Security
Research Team that effects php topsites. Basically, it is a different
script vulnerable to the same attack as the previously released add.php
vuln. A user cannot submit a site with invalid metacharacters if a php
topsites owner or admin has applied the patch, or written an ereg himself
or used the htmlspecialchars() function etc. However once accepted a
malicious user can edit thier site description and then submit the site
for revalidation. Upon viewing the site submitted for revalidation, any
code injected into the description field (or other fields) will be run by
the admin unknowingly.
Version: All
Script: edit.php
vendor: itop10.net
Type: SQL Injection/User Account Disclosure Vulnerability
---------------------------------------------------------------------------
PHP Topsites has a very poor authentication system, thus by adding the
variable auth=1 and terminating the SQL query with the -- characters an
attacker can gain access to any user account he/she has an account number
for. You can TRY to quickly patch this by specifying a refferer and method
type, but it's advised to just get another topsites script since there
is no real fix for this that would be very secure. Below is an example of
how an attacker can disclose user account info via a malformed url. This
works even if the previous fix to edit.php was applied.
http://somewebsite.com/topsitesdir/edit.php?
a=pre&submit=&auth=1&sid=thesiteidnumgoeshere--
The writer of the scripts located at http://www.itop10.net really doesn't
seem to care about keeping his users safe, as he has not issued a warning
to potential customers as well as existing customers. Nor has he quit
selling the buggy scripts for 60$ US a pop. I am no lawyer, but isn't
this somewhat illegal? Negligance maybe? Ah well, you guys decide, Im sure
someone out there is a lawyer. Cheers :)
JeiAr
All credit goes to The CyberArmy Security Research ACAT Team
http://www.security-research.org
http://www.gulftech.org
- Next message: security@caldera.com: "Security Update: [CSSA-2003-005.0] Linux: canna buffer overflow and denial of service"
- Previous message: John Howie: "RE: Attacking EFS through cached domain logon credentials"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
