TextPortal Default Password May Allow Remote Users to Gain Access
|
|
SecurityTracker Alert ID: 1006840
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 24 2003
|
Impact: User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.8 and prior versions
|
Description: A default configuration vulnerability was reported in TextPortal. A remote user can gain access to the system using a default password.
It is reported that the system is configured, by default, with a user account named 'god2'. This account has limited administrator
privileges. The default password is "12345" and is stored in encrypted form in admin_pass.php. According to the report, many administrators
do not change this default password.
A remote user can use the default password at the following URL to gain access on the target
TextPortal application wtih some administrative privileges:
http://[target]/admin.php
The following timeline is provided:
Discovery
date: 2003.05.10.
Vendor notified: 2003.05.10.
Vendor response: 2003.05.16.
|
Impact: A remote user can gain access to the portal application's administrative interface.
|
Solution: The vendor has reportedly issued a fixed version.
[Editor's note: The latest version that we found on the web site at the time of this entry was 0.80, dated April 22, 2003, which was still vulnerable.]
|
Vendor URL: www.textportal.hu/ (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "bugtracklist.fm" <bugtracklist@freemail.hu>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 24 May 2003 00:15:52 +0200
From: "bugtracklist.fm" <bugtracklist@freemail.hu>
Subject: TextPortal Default Password Vulnerability
|
TextPortal Default Password Vulnerability
Advisory ID: B$H-2003:001
Advisory URL: http://www.tar.hu/bsh/reports/bsh-2003-001.txt
Date: 2003.05.22.
Original Advisory Date: 2003.05.10.
Discovery date: 2003.05.10.
Type: Vulnerability / Exploit
Product: TextPortal
Affected versions: All (as of discovery date)
Fixed Version: None
Vendor notified: 2003.05.10.
Vendor response: 2003.05.16.
Product/vendor URL: http://www.textportal.hu/
Author: B$H
Author info: bsh@tar.hu / http://www.tar.hu/bsh/
Greetz to : Sigterm, Dodge Viper, Geo, DVHC
------------------------------------------------------
Product description:
------------------------------------------------------
TextPortal is a text-based PHP portal system with forum, voitig,
user
registration, etc. To use this portal system you need only php on the
web
server.
------------------------------------------------------
Vulnerability:
------------------------------------------------------
The default admin password is: admin. The administrators change this
always.
You can change the admin passord at admin-menu -> admin passwor menu item.
The
admin password is in admin_pass.php :
<?php
god1¤t.gEaVtS1Uh86
god1-tmp¤d.9qw2fVYDNh2god2¤ijv.8ZKH0lW8s
god2¤3JVqJsoQ4Dph2
What is good2? Good 2 is also an administrator (editor). This user
hasn't
got full controll, but you can change many things:
- Voting
- Articles
- Downloads
- Links
- Gallery
- Forum
- Visitor's Book
- Statistics
The portal use the crypt php function to the passwords. So you can crack
this
password with any UNIX password cracker. The result: 3JVqJsoQ4Dph2:12345.
;)
The passwor is: 12345. Many people don't know this and they don't change
the
password.
------------------------------------------------------
Exsploit:
------------------------------------------------------
http://[target]/admin.php
Target 12345 and Enter. ;)
-----------------------------------------------------
Solution:
------------------------------------------------------
Chenge the editor password: admin menu > admin password > change
editor
password. Or write the crypted password to the admin_pass.php after the
part:
"god2¤".
B$H
bsh@tar.hu
www.tar.hu/bsh
2003.05.22.
|
|
