AresU Advisory
18/July/2002

Easy Homepage Creator Vulnerability

Severity : High (Possible to edit member homepage)
Systems Affected:
Advanced Easy Homepage Creator v1.0
Easy Homepage Creator v1.0

Vendor URL: http://www.easyscripts.co.uk
Vuln Type : It does not use Access Validation to edit
homepage
Author : AresU
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA,
Br0374l, FreshFirst, Algorithm, Mr.Padang
Adv.URL :
http://bosen.net/advisories/aresu-adv.001.txt

Summary
=======
Everyone can change another user homepage without
Access Validation easily.

Solution
========
Add Access Validation on "print_html_to_file"
function.

Add edit.cgi with this code:

  sub login_check
  {
     if ($FORM{'username'} eq "" or $FORM{'password'}
eq "")
     {
             dienice("Sorry, but you haven't entered a
Username or Password. Please press the 'back' button
on your browser to return to the login screen.");
     }
     $FORM{'username'} =~ tr/A-Z/a-z/;
     $FORM{'password'} =~ tr/A-Z/a-z/;
     
    
open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro")
|| dienice("Sorry, but you have entered an invalid
username or password. Please press the 'back' button
on your browser to return to the login form.");
     DATA = <PROFILE>;
     chomp(DATA);
     if (!($FORM{'username'} eq "DATA[1]" &&
$FORM{'password'} eq "DATA[2]")
     {
             dienice("Sorry, but you have entered an
invalid username or password. Please press the 'back'
button on your browser to return to the Login Form and
try logging-in again.");
     }
     close(PROFILE);

    
open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat")
|| dienice("Configuration Error! Unable to open
ban_users.dat file for reading. Please contact the
webmaster of this web site. The following error
occured : $!");
     check = <CHECK_USERNAME>;
     chomp(check);
     close(CHECK_USERNAME);
     
     foreach $line (check)
     {
       if ($line =~ /$FORM{'username'}/gi)
       {
              dienice("Sorry, but you have been banned
from using the Homepage Creator. You should have been
sent an email explaining why you have been banned from
using the Homepage Creator. For more details contact
the webmaster of this web site.");
       }
     }
  }

  sub dienice
  {
     my($msg) = _;
     print <<EndHTML;
     <html>
     <head>
     <title>Homepage Login Error</title>
     </head>
     <body bgcolor="$bg_colour"
link="$hyperlinks_colour" vlink="$hyperlinks_colour"
alink="$hyperlinks_colour">
     <p align="center">$logo_url&nbsp;&nbsp;
$banner_url</p>
     <hr color="$linebreakcolour">
     <p align="left"><b><font face="Times New Roman"
color="$title_colour" size="5"> Homepage Login
Error</font></b></p>
     <p align="left"><font face="Verdana" size="2"
color="$field_text_colour"><b>$msg</b></font></p>
     <hr color="$linebreakcolour">
     <p align="center"><font size="1" face="Verdana"
color="$field_text_colour"><b>) Copyright
     <a href="http://www.easyscripts.co.uk">
     Easy Scripts Archive</a> 2001.&nbsp; All Rights
Reserved.</b></font></p>
     </body>
     </html>
     EndHTML
     exit;
  }

And on the first line of "print_html_to_file" function
add this:
&login_check;

   
Acknowledgments
===============
Vulnerability discovery, exploit code, and advisory by
AresU

Vendor Response
===============
Vendor has been contacted for about 10 days but they
still didn't fix yet.

Exploit Code
============
Change action in the html form.

__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

• application/x-zip-compressed attachment: easyhomepage.zip

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]