SecurityTracker.com Archives - Ultimate PHP Board Counter Error in 'register.php' Lets a Remote User Register With an Account Named 'admin'

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > Ultimate PHP Board

Vendors: Hoeppner, Tim

Ultimate PHP Board Counter Error in 'register.php' Lets a Remote User Register With an Account Named 'admin'

SecurityTracker Alert ID: 1005136

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 25 2002

Impact: Modification of user information

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 1.0b !!FIXED

Description: A vulnerability was reported in Ultimate PHP Board (UPB). A remote user could spoof the administrator account.

It is reported that the system permits two accounts with the name 'admin' to exist. The original 'admin' account, which is set up during installation, will have 'Admin' privileges. Also, a remote user can register an account named 'admin' that will have ordinary 'member' privileges. The remote user with this account cannot administer the account, but could post or send messages that will appear to come from the valid 'admin' account.

[Editor's note: The vulnerable version is called, oddly enough, '1.0b !!FIXED'. According to this report, it is not fixed with regards to this vulnerability.]

Impact: A remote user could register an ordinary member account with the name 'admin' to send spoofed messages appearing to originate from the administrator.

Solution: No solution was available at the time of this entry.

The author of the report has provided the following solution (apparently from ewgenij_s at gmx.de):

in register.php change

$c = count($d)-2;

with

$c = count($d)-1;

Vendor URL: www.webrc.ca/php/upb.php (Links to External Site)

Cause: State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: GooDWiN <badwin@rambler.ru>

Message History: None.

Source Message Contents

Date: Sun, 25 Aug 2002 18:20:13 +0400 (MSD)
From: GooDWiN <badwin@rambler.ru>
Subject: [VulnWatch] `admin' bug in upb

 


product: Ultimate PHP Board (UPB) 
version: Public Beta 1.0b !!FIXED 
vendor: http://www.webrc.ca/php/upb.php
status: notified

------------------------------------------------
summary: upb allow to have two `admin' accounts, 
but witn different access levels. its may 
aply with spoofing attacks. 
------------------------------------------------
 i have been register `admin' account within install procedure. it is have 
`Admin' permissions. later i was register `admin' again with normal way (via 
register.php) and upb dont output some error. but THIZ `admin' have a `member' 
permissions. 

solution (from ewgenij_s@gmx.de)
---------

in register.php change 

      $c = count($d)-2; 

      with 

      $c = count($d)-1; 


regardz,
GooDWiN /tF0KP
----------------------------
www.security-ru.net

___________________________
origin: i'm not a lame,
         not yet a hacker ))


----
  http://www.rambler.ru

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC