TUCoPS :: Web :: PHP :: bt666.txt

Elite News Ver. 1.0.0.0-1.0.0.3 Beta




Published: 16/07/2003



Released: 16/07/2003



Name: Elite News 



Affected System(s): All versions 



Severity: High



Platform(s): Windows and Unix 



Issue: Security holes enable attackers to take administrative control



Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710



Author: Trash-80 - dpangalos@linuxmail.org







Description



************



Zone-h Security Team has discovered a serious security flaw in Elite News 

Ver.1.0.0.0-1.0.0.3 Beta. 

Elite News is a news publishing system which allows you to easily post 

news and reviews without a MySQL database.





Details



********



1.Direct access to stats.php file allows you to see Elite News 

administrator's username.



  ex: www.example.com/elitenews/stats.php



2.Fill in the administrator's username in login.html.

  Leave the password field blank.

  Click "Login".

   

  ex: www.example.com/elitenews/login.html



3.Then directly access newpost.php to post a message as an Elite News 

administrator.







Furthermore



************



login.php sets a cookie in your temporary internet files with the 

administrator's username.





Cookie content:



/elitenews

ex: UserAdmin

www.example.com/elitenews/

1536

2873507712

29576153

2673509856

29576139

*

Elitenews

1

www.example.com/elitenews/

1536

2873507712

29576153

2673509856

29576139

*







newpost.php "reads" this cookie and thus it's possible to see the "Send" 

and "Reset" buttons which are not shown if you don't login with the 

administrator's username. 





(Bogus) PHP Code/Location:



/elitenews/newpost.php:

------------------------------------------------------------------------



<?php

$admin = $HTTP_COOKIE_VARS["Elitenews"]; 

if ($admin != "")

{

echo "<input <input type=submit value=Send><input type=reset value=Reset>";

}

?>



------------------------------------------------------------------------



It's also possible to access other Elite News files like modify.php, 

editordelete.php etc...





Solution:



*********



The vendor has been contacted and a patch is not yet produced.





Trash-80 - www.zone-h.org operator



http://www.zone-h.org






TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH