OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Arek Suroboyo (ar3su_at_yahoo.com)
Date: Sat Jul 27 2002 - 14:56:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    AresU Advisory
    18/July/2002

    Easy Homepage Creator Vulnerability

    Severity : High (Possible to edit member homepage)
    Systems Affected:
    Advanced Easy Homepage Creator v1.0
    Easy Homepage Creator v1.0

    Vendor URL: http://www.easyscripts.co.uk
    Vuln Type : It does not use Access Validation to edit
    homepage
    Author : AresU
    Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA,
    Br0374l, FreshFirst, Algorithm, Mr.Padang
    Adv.URL :
    http://bosen.net/advisories/aresu-adv.001.txt

    Summary
    =======
    Everyone can change another user homepage without
    Access Validation easily.

    Solution
    ========
    Add Access Validation on "print_html_to_file"
    function.

    Add edit.cgi with this code:

      sub login_check
      {
         if ($FORM{'username'} eq "" or $FORM{'password'}
    eq "")
         {
                 dienice("Sorry, but you haven't entered a
    Username or Password. Please press the 'back' button
    on your browser to return to the login screen.");
         }
         $FORM{'username'} =~ tr/A-Z/a-z/;
         $FORM{'password'} =~ tr/A-Z/a-z/;
         
        
    open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro")
    || dienice("Sorry, but you have entered an invalid
    username or password. Please press the 'back' button
    on your browser to return to the login form.");
         DATA = <PROFILE>;
         chomp(DATA);
         if (!($FORM{'username'} eq "DATA[1]" &&
    $FORM{'password'} eq "DATA[2]")
         {
                 dienice("Sorry, but you have entered an
    invalid username or password. Please press the 'back'
    button on your browser to return to the Login Form and
    try logging-in again.");
         }
         close(PROFILE);

        
    open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat")
    || dienice("Configuration Error! Unable to open
    ban_users.dat file for reading. Please contact the
    webmaster of this web site. The following error
    occured : $!");
         check = <CHECK_USERNAME>;
         chomp(check);
         close(CHECK_USERNAME);
         
         foreach $line (check)
         {
           if ($line =~ /$FORM{'username'}/gi)
           {
                  dienice("Sorry, but you have been banned
    from using the Homepage Creator. You should have been
    sent an email explaining why you have been banned from
    using the Homepage Creator. For more details contact
    the webmaster of this web site.");
           }
         }
      }

      sub dienice
      {
         my($msg) = _;
         print <<EndHTML;
         <html>
         <head>
         <title>Homepage Login Error</title>
         </head>
         <body bgcolor="$bg_colour"
    link="$hyperlinks_colour" vlink="$hyperlinks_colour"
    alink="$hyperlinks_colour">
         <p align="center">$logo_url&nbsp;&nbsp;
    $banner_url</p>
         <hr color="$linebreakcolour">
         <p align="left"><b><font face="Times New Roman"
    color="$title_colour" size="5"> Homepage Login
    Error</font></b></p>
         <p align="left"><font face="Verdana" size="2"
    color="$field_text_colour"><b>$msg</b></font></p>
         <hr color="$linebreakcolour">
         <p align="center"><font size="1" face="Verdana"
    color="$field_text_colour"><b>) Copyright
         <a href="http://www.easyscripts.co.uk">
         Easy Scripts Archive</a> 2001.&nbsp; All Rights
    Reserved.</b></font></p>
         </body>
         </html>
         EndHTML
         exit;
      }

    And on the first line of "print_html_to_file" function
    add this:
    &login_check;

       
    Acknowledgments
    ===============
    Vulnerability discovery, exploit code, and advisory by
    AresU

    Vendor Response
    ===============
    Vendor has been contacted for about 10 days but they
    still didn't fix yet.

    Exploit Code
    ============
    Change action in the html form.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Health - Feel better, live better
    http://health.yahoo.com