exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ptnews.txt

ptnews.txt
Posted Apr 22, 2003
Authored by Arnaud Jacques | Site securiteinfo.com

PT News v1.7.7 allows access to administrator functionality without authentication via news.inc which is included in the index.php file.

tags | exploit, php
SHA-256 | 19a14860edc87b027dcbf04677ec6da894af40a35495ef42885e005193b55ad5

ptnews.txt

Change Mirror Download
PTNews v1.7.7 - Access to administrator functions without authentification


.oO Overview Oo.
PTNews v1.7.7 - Access to administrator functions without authentification
Discovered on 2003, April, 7th
Vendor: PTNews - http://www.openbg.net/ptsite/

PT News is a simple news system. This is lite solution for sites without SQL
database support. Whole system is written in PHP (PHP3 and PHP4 support).
A vulnerability allows to access to the administrator functions, without
authentification.


.oO Details Oo.
In PTNews v1.7.7, administrator functions are located in the file news.inc
Here is the interesting piece of code :

//handle administrator functions

$files = getFileNames($newsdir);
$context = "";

if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {
createNewsEntry($newsdir);
if ("replace" == $HTTP_POST_VARS[action] &&
in_array($HTTP_POST_VARS[file], $files)) {
deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);
}
makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[delete])) {
if ("all" == $HTTP_GET_VARS[delete]) {
$context = deleteAll($newsdir,$config[newssuff]);
} else {
if (in_array($HTTP_GET_VARS[delete], $files))
deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);
}
makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[edit]) &&
in_array($HTTP_GET_VARS[edit], $files)) {
$context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);
}


As you can see, it can handle :
- News creation
- News replacement
- News deletion
- News editing


Now, the file "news.inc" is included in the index.php file as followed :

<html>
<head>
<title>PTNews Site</title>
</head>
<body>
<?
$newsdir = "news/";
include ("news.inc");
// handle CGI parameters
if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;
else $pageNum = $HTTP_GET_VARS[pageNum];
if (!isset($HTTP_GET_VARS[topic])) {
$topic="";
} else {
$topic=$HTTP_GET_VARS[topic];
}
$extra="";
?>
etc...


Bingo ! File "news.inc" is needed for the public access file "index.php", for
example for the "searchNews" or "displayNews" functions. But as far as
news.inc includes administrators functions, everybody can access the
administrator function...

.oO Exploit Oo.
Ok, that's really easy. You just have to send a specific URL to access the
admin functions.

Function / URL :
Create a news / Not an URL : only posted datas. Not impossible to exploit :)
Replace a news / Not an URL : only posted datas. Not impossible to exploit :)
Delete all news / http://www.victim.com/ptnews/ index.php?delete=all
Edit a news / Too difficult to exploit

.oO Solution Oo.
The solution is to separate the standard news functions and the administrator
news fonctions.
Standard news functions must go to news.inc
Administrator news fonctions must go to admin.inc

The vendor has been informed and solved the problem. Download ptnews 1.7.8 at:
http://www.openbg.net/ptsite/


.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close