OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Arek Suroboyo (ar3su_at_yahoo.com)
Date: Sat Jul 27 2002 - 14:58:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    AresU Advisory
    19/July/2002

    Easy Guestbook Vulnerabilities

    Severity : High (Possible to edit member
    homepage)
    Systems Affected: Easy Guestbook v1.0
    Vendor URL : http://www.easyscripts.co.uk
    Vuln Type : It does not use Access Validation to
    delete the entries and login as Admin Control.
    Author : AresU
    Greetz to : Bosen, Tioeuy, eF73, SakitJiwa,
    nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang
    Adv.URL :
    http://bosen.net/advisories/aresu-adv.002.txt

    Summary
    =======
    1) Everyone can delete the entries and login as Admin
    Control.
    2) Everyone can reconfigure Guestbook when they open
    config.cgi and change Admin Password.

    Solution
    ========
    1) Add Access Validation on "delete_message" function
    and "start" function.

       Add admin.cgi with this code:
       sub login_verify
       {
            chomp($FORM{'login_username'});
            chomp($FORM{'login_password'});
            if (!($FORM{'login_username'} eq $username &&
    $FORM{'login_password'} eq $password))
            {
              dienice("Sorry, but you have entered an
    invalid username or password. Please press the 'back'
    button on your browser to return to the Login
    Screen.");
            }
       }
      
       And on the first line of "delete_message" function
    and "start" function add this:
       &login_verify;

       And on the "start" function add this code in the
    <FORM>:
       <input type="hidden" name="login_username"
    value="$FORM{'login_username'}">
       <input type="hidden" name="login_password"
    value="$FORM{'login_password'}">
       
    2) Delete config.cgi after you finish configure the
    Guestbook.

    Acknowledgments
    ===============
    Vulnerability discovery, exploit code, and advisory by
    AresU

    Vendor Response
    ===============
    Vendor has been contacted for about 10 days but they
    still didn't fix yet.

    Exploit Code
    ============
    Change action in the html form.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Health - Feel better, live better
    http://health.yahoo.com