TextPortal Default Password Vulnerability

From: bugtracklist.fm (bugtracklist_at_freemail.hu)
Date: 05/24/03

  • Next message: Over_G: "PHP source code injection in BLNews" 
    To: <bugtraq@securityfocus.com>
Date: Sat, 24 May 2003 00:15:52 +0200

    TextPortal Default Password Vulnerability

    Advisory ID: B$H-2003:001
    Advisory URL: http://www.tar.hu/bsh/reports/bsh-2003-001.txt
    Date: 2003.05.22.
    Original Advisory Date: 2003.05.10.
    Discovery date: 2003.05.10.
    Type: Vulnerability / Exploit
    Product: TextPortal
    Affected versions: All (as of discovery date)
    Fixed Version: None
    Vendor notified: 2003.05.10.
    Vendor response: 2003.05.16.
    Product/vendor URL: http://www.textportal.hu/

    Author: B$H
    Author info: bsh@tar.hu / http://www.tar.hu/bsh/
    Greetz to : Sigterm, Dodge Viper, Geo, DVHC

    ------------------------------------------------------
    Product description:
    ------------------------------------------------------

    TextPortal is a text-based PHP portal system with forum, voitig,
    user
    registration, etc. To use this portal system you need only php on the
    web
    server.

    ------------------------------------------------------
    Vulnerability:
    ------------------------------------------------------

    The default admin password is: admin. The administrators change this
    always.
    You can change the admin passord at admin-menu -> admin passwor menu item.
    The
    admin password is in admin_pass.php :

    <?php
    god1¤t.gEaVtS1Uh86
    god1-tmp¤d.9qw2fVYDNh2god2¤ijv.8ZKH0lW8s
    god2¤3JVqJsoQ4Dph2

    What is good2? Good 2 is also an administrator (editor). This user
    hasn't
    got full controll, but you can change many things:

    - Voting
    - Articles
    - Downloads
    - Links
    - Gallery
    - Forum
    - Visitor's Book
    - Statistics

    The portal use the crypt php function to the passwords. So you can crack
    this
    password with any UNIX password cracker. The result: 3JVqJsoQ4Dph2:12345.
    ;)
    The passwor is: 12345. Many people don't know this and they don't change
    the
    password.

    ------------------------------------------------------
    Exsploit:
    ------------------------------------------------------

    http://[target]/admin.php
    Target 12345 and Enter. ;)

    -----------------------------------------------------
    Solution:
    ------------------------------------------------------

    Chenge the editor password: admin menu > admin password > change
    editor
    password. Or write the crypted password to the admin_pass.php after the
    part:
    "god2¤".

    B$H
    bsh@tar.hu
    www.tar.hu/bsh

    2003.05.22.

  • Next message: Over_G: "PHP source code injection in BLNews"