Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Easy Homepage Creator Access Control Flaw Lets Remote Users Edit Other Users' Home Pages
|
|
SecurityTracker Alert ID: 1004863 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 28 2002
|
Impact: Modification of user information
|
Version(s): 1.0
|
Description: A vulnerability was reported in the Easy Homepage Creator CGI script. A remote user can edit any user's homepage.
It is reported that the CGI script does not control access to page editing functions. Anyone can change another user's homepage.
Some
demonstration exploit code is provided in the Source Message (it is a Base64-encoded zip file).
The vendor has reportedly been
notified.
|
Impact: A remote user can edit a user's homepage.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided an unofficial patch (available in the Source Message).
|
Vendor URL: www.easyscripts.co.uk/hc_index.htm (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Arek Suroboyo <ar3su@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 27 Jul 2002 12:56:27 -0700 (PDT)
From: Arek Suroboyo <ar3su@yahoo.com>
Subject: Easy Homepage Creator Vulnerability
|
--0-351215705-1027799787=:31970
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
AresU Advisory
18/July/2002
Easy Homepage Creator Vulnerability
Severity : High (Possible to edit member homepage)
Systems Affected:
Advanced Easy Homepage Creator v1.0
Easy Homepage Creator v1.0
Vendor URL: http://www.easyscripts.co.uk
Vuln Type : It does not use Access Validation to edit
homepage
Author : AresU
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA,
Br0374l, FreshFirst, Algorithm, Mr.Padang
Adv.URL :
http://bosen.net/advisories/aresu-adv.001.txt
Summary
=======
Everyone can change another user homepage without
Access Validation easily.
Solution
========
Add Access Validation on "print_html_to_file"
function.
Add edit.cgi with this code:
sub login_check
{
if ($FORM{'username'} eq "" or $FORM{'password'}
eq "")
{
dienice("Sorry, but you haven't entered a
Username or Password. Please press the 'back' button
on your browser to return to the login screen.");
}
$FORM{'username'} =~ tr/A-Z/a-z/;
$FORM{'password'} =~ tr/A-Z/a-z/;
open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro")
|| dienice("Sorry, but you have entered an invalid
username or password. Please press the 'back' button
on your browser to return to the login form.");
@DATA = <PROFILE>;
chomp(@DATA);
if (!($FORM{'username'} eq "@DATA[1]" &&
$FORM{'password'} eq "@DATA[2]")
{
dienice("Sorry, but you have entered an
invalid username or password. Please press the 'back'
button on your browser to return to the Login Form and
try logging-in again.");
}
close(PROFILE);
open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat")
|| dienice("Configuration Error! Unable to open
ban_users.dat file for reading. Please contact the
webmaster of this web site. The following error
occured : $!");
@check = <CHECK_USERNAME>;
chomp(@check);
close(CHECK_USERNAME);
foreach $line (@check)
{
if ($line =~ /$FORM{'username'}/gi)
{
dienice("Sorry, but you have been banned
from using the Homepage Creator. You should have been
sent an email explaining why you have been banned from
using the Homepage Creator. For more details contact
the webmaster of this web site.");
}
}
}
sub dienice
{
my($msg) = @_;
print <<EndHTML;
<html>
<head>
<title>Homepage Login Error</title>
</head>
<body bgcolor="$bg_colour"
link="$hyperlinks_colour" vlink="$hyperlinks_colour"
alink="$hyperlinks_colour">
<p align="center">$logo_url
$banner_url</p>
<hr color="$linebreakcolour">
<p align="left"><b><font face="Times New Roman"
color="$title_colour" size="5"> Homepage Login
Error</font></b></p>
<p align="left"><font face="Verdana" size="2"
color="$field_text_colour"><b>$msg</b></font></p>
<hr color="$linebreakcolour">
<p align="center"><font size="1" face="Verdana"
color="$field_text_colour"><b>) Copyright
<a href="http://www.easyscripts.co.uk">
Easy Scripts Archive</a> 2001. All Rights
Reserved.</b></font></p>
</body>
</html>
EndHTML
exit;
}
And on the first line of "print_html_to_file" function
add this:
&login_check;
Acknowledgments
===============
Vulnerability discovery, exploit code, and advisory by
AresU
Vendor Response
===============
Vendor has been contacted for about 10 days but they
still didn't fix yet.
Exploit Code
============
Change action in the html form.
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--0-351215705-1027799787=:31970
Content-Type: application/x-zip-compressed; name="easyhomepage.zip"
Content-Transfer-Encoding: base64
Content-Description: easyhomepage.zip
Content-Disposition: attachment; filename="easyhomepage.zip"
UEsDBBQAAAAIAIMS/CwdaBQXdwIAAEQEAAARAAAAZWFzeWhvbWVwYWdlLmh0
bWyNU1Fr20AMfjfsP2iGwQaOnXQPzYIdyLZmXWnX0KaFPpXznRoftX3mTpc0
+/XTOfEKY4z5yZI/Sd/3Sc7fjkYQnQm3h3PTYCc2CF8sCjIW7n3dohWlrjXt
IYq+CkLonxlc+HoPk2kCJ+PxCUS3uEUbUPzpXG8qeL8yzumyRiADqDRBg02J
FqrjlA9ctHeEjYPF0xNKQjWDCI7PQm1FK1HB35ltJ+n4FfwvTHSPreLo7uZy
BhVRN8uy3W6XItc4aXVHLpUm9c8QBbmw3nfIGr4TKIMOWkPgHcJCSnQO7kWt
lSBt2t+yBj0QLTxVPKm3Z2HR3UH0zSLSz4CdwWfjsE1grQ36fQK4PP2YwK14
1nShdyKBVjdqkcCSK6ulto4SWNQbw65WTQJXNl0JJdpNxNakrKYfcxRUhtZp
i5QJtdWOa9Blghv5ESfS8XiS0gu9idaVduCMtxJBGoXA4RNTRuVlr0rU0Hnb
cTu4/nH5EI1Gc7Ywr6ip57nEltByIq8m8/+4mDxjHKNJhDMojVVoizFIrOtO
KKXbTXHSR64TMkQT2GlFVRF/Gr+LQ+Xy+uaK74ZtVUW8ur5dx9CKBoveeCED
4yI+erDVHDfZsI4sYFK50aHRnUMbCmeQ67bzdOgS+2M6nudl0PVgPEjRHvZq
qOJrDZDXFZdYmx3bzprwhdhgAdbsXBFPTmPQzHFAPoYWR7J/JqWpuWI6DcRW
Nd8h/yLh6Pa8FxbrHEMd6BZ4PqY8KxuG9WYGouHGclIga+FcQaYbcgd1h3Tp
icKdcu8idr5swvCtqD2HZ0HhsL2BZ6D3OJBlTzJS8358v/MsLOMQh332b/1d
QPQLUEsBAhQAFAAAAAgAgxL8LB1oFBd3AgAARAQAABEAAAAAAAAAAQAgALaB
AAAAAGVhc3lob21lcGFnZS5odG1sUEsFBgAAAAABAAEAPwAAAKYCAAAAAA==
--0-351215705-1027799787=:31970--
|
|
Go to the Top of This SecurityTracker Archive Page
|
