BugTraq
Back to list
|
Post reply
ZH2003-11SA (security advisory): Elite News Ver. 1.0.0.0-1.0.0.3 Beta
Jul 16 2003 09:55PM
Jim Pangalos (dpangalos linuxmail org)
Published: 16/07/2003
Released: 16/07/2003
Name: Elite News
Affected System(s): All versions
Severity: High
Platform(s): Windows and Unix
Issue: Security holes enable attackers to take administrative control
Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710
Author: Trash-80 - dpangalos (at) linuxmail (dot) org [email concealed]
Description
************
Zone-h Security Team has discovered a serious security flaw in Elite News
Ver.1.0.0.0-1.0.0.3 Beta.
Elite News is a news publishing system which allows you to easily post
news and reviews without a MySQL database.
Details
********
1.Direct access to stats.php file allows you to see Elite News
administrator's username.
ex: www.example.com/elitenews/stats.php
2.Fill in the administrator's username in login.html.
Leave the password field blank.
Click "Login".
ex: www.example.com/elitenews/login.html
3.Then directly access newpost.php to post a message as an Elite News
administrator.
Furthermore
************
login.php sets a cookie in your temporary internet files with the
administrator's username.
Cookie content:
/elitenews
ex: UserAdmin
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
Elitenews
1
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
newpost.php "reads" this cookie and thus it's possible to see the "Send"
and "Reset" buttons which are not shown if you don't login with the
administrator's username.
(Bogus) PHP Code/Location:
/elitenews/newpost.php:
------------------------------------------------------------------------
<?php
$admin = $HTTP_COOKIE_VARS["Elitenews"];
if ($admin != "")
{
echo "<input <input type=submit value=Send><input type=reset value=Reset>";
}
?>
------------------------------------------------------------------------
It's also possible to access other Elite News files like modify.php,
editordelete.php etc...
Solution:
*********
The vendor has been contacted and a patch is not yet produced.
Trash-80 - www.zone-h.org operator
http://www.zone-h.org
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Published: 16/07/2003
Released: 16/07/2003
Name: Elite News
Affected System(s): All versions
Severity: High
Platform(s): Windows and Unix
Issue: Security holes enable attackers to take administrative control
Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710
Author: Trash-80 - dpangalos (at) linuxmail (dot) org [email concealed]
Description
************
Zone-h Security Team has discovered a serious security flaw in Elite News
Ver.1.0.0.0-1.0.0.3 Beta.
Elite News is a news publishing system which allows you to easily post
news and reviews without a MySQL database.
Details
********
1.Direct access to stats.php file allows you to see Elite News
administrator's username.
ex: www.example.com/elitenews/stats.php
2.Fill in the administrator's username in login.html.
Leave the password field blank.
Click "Login".
ex: www.example.com/elitenews/login.html
3.Then directly access newpost.php to post a message as an Elite News
administrator.
Furthermore
************
login.php sets a cookie in your temporary internet files with the
administrator's username.
Cookie content:
/elitenews
ex: UserAdmin
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
Elitenews
1
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
newpost.php "reads" this cookie and thus it's possible to see the "Send"
and "Reset" buttons which are not shown if you don't login with the
administrator's username.
(Bogus) PHP Code/Location:
/elitenews/newpost.php:
------------------------------------------------------------------------
<?php
$admin = $HTTP_COOKIE_VARS["Elitenews"];
if ($admin != "")
{
echo "<input <input type=submit value=Send><input type=reset value=Reset>";
}
?>
------------------------------------------------------------------------
It's also possible to access other Elite News files like modify.php,
editordelete.php etc...
Solution:
*********
The vendor has been contacted and a patch is not yet produced.
Trash-80 - www.zone-h.org operator
http://www.zone-h.org
[ reply ]