Zone-H Security Advisory ZH2003-11SA - Elite News version 1.0.0.0-1.0.0.3 Beta allows direct access to various system files which enables an attacker to retrieve the administrator login name, then utilize that name on another page to set a cookie that will be referenced by yet another page that allows an attacker to post as the administrator.
15b0010175329a204e9968c5e50f2759f6d246f310258aa395f5fc303d0bc6e8
ZH2003-11SA (security advisory): Elite News Ver. 1.0.0.0-1.0.0.3 Beta
Published: 16/07/2003
Released: 16/07/2003
Name: Elite News
Affected System(s): All versions
Severity: High
Platform(s): Windows and Unix
Issue: Security holes enable attackers to take administrative control
Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710
Author: Trash-80 - dpangalos@linuxmail.org
Description
************
Zone-h Security Team has discovered a serious security flaw in Elite News Ver.1.0.0.0-1.0.0.3 Beta.
Elite News is a news publishing system which allows you to easily post news and reviews without a MySQL database.
Details
********
1.Direct access to stats.php file allows you to see Elite News administrator's username.
ex: www.example.com/elitenews/stats.php
2.Fill in the administrator's username in login.html.
Leave the password field blank.
Click "Login".
ex: www.example.com/elitenews/login.html
3.Then directly access newpost.php to post a message as an Elite News administrator.
Furthermore
************
login.php sets a cookie in your temporary internet files with the administrator's username.
Cookie content:
/elitenews
ex: UserAdmin
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
Elitenews
1
www.example.com/elitenews/
1536
2873507712
29576153
2673509856
29576139
*
newpost.php "reads" this cookie and thus it's possible to see the "Send" and "Reset" buttons which are not shown if you don't login with the administrator's username.
(Bogus) PHP Code/Location:
/elitenews/newpost.php:
------------------------------------------------------------------------
<?php
$admin = $HTTP_COOKIE_VARS["Elitenews"];
if ($admin != "")
{
echo "<input <input type=submit value=Send><input type=reset value=Reset>";
}
?>
------------------------------------------------------------------------
It's also possible to access other Elite News files like modify.php, editordelete.php etc...
Solution:
*********
The vendor has been contacted and a patch is not yet produced.
Trash-80 - www.zone-h.org operator
http://www.zone-h.org
--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze