P-News Input Validation Flaw in 'p-news.php' Lets Remote Authenticated Users Create and Access Administrator Accounts
|
|
SecurityTracker Alert ID: 1006842
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 24 2003
|
Impact: Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 1.16
|
Description: An input validation vulnerability was reported in P-News. A remote authenticated user can gain administrator access to the forum software.
It is reported that a remote authenticated user (with a valid 'Member' account) can exploit a flaw in the 'p-news.php' file to create
a new account. The remote authenticated user can inject the following type of text into the 'Name' field in the 'edit account information'
section:
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-|
According to the report, this information will
be written to the database. The '0' field denotes administrative privileges.
|
Impact: A remote authenticated user can create and access an administrator account on the P-News system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.ppopn.net/work/ppopn/index.php?view=pdown&pd=detail&id=2 (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Peter Winter-Smith" <peter4020@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 24 May 2003 09:15:47 +0000
From: "Peter Winter-Smith" <peter4020@hotmail.com>
Subject: [VulnWatch] P-News 1.16 Admin Access Vulnerability
|
Admin Access Vulnerability in P-News 1.6
Url: http://www.ppopn.net
It is possible to gain admin access if you possess a 'Member'
account due to a flaw in the 'p-news.php' file.
You can inject an entire arbitrary account, including all the fields, into
the 'Name' field, which will push all the restricting details to the far end
of the data string, not allowing them to be included in the login process.
Below is an example of a normal database:
Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|
Notice the '0' denotes an 'admin' account, and the '2' denotes a 'member'
account.
Injecting:
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-|
Into the 'Name' field in the edit account information section will give the
malicious user admin privileges.
The database then looks like:
Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-||-|179ad45c6ce2cb97cf1029e212046e81
|-|2|-|peter@aol.com|-|
================================================================
Operating system and servicepack level:
Windows/Linux/Unix + PHP
Software:
P-News 1.16 (possibly 1.17)
Under what circumstances the vulnerability was discovered:
Under a vulnerability search.
If the vendor has been notified:
The vendor has not been notified because he does not speak English, so much
confusion may arise.
How to contact you for further information:
I can always be reached at peter4020@hotmail.com
Please credit this find to:
Peter Winter-Smith of Team UEC
Thank you for your time,
-Peter
_________________________________________________________________
Sign-up for a FREE BT Broadband connection today!
http://www.msn.co.uk/specials/btbroadband
|
|
