SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Pharao Portal System Vendors:   pharao.sourceforge.net
Pharao Web Portal Software Has Multiple Flaws That Allow Remote Users to Access the System as Any User and to Read Files on the Server
SecurityTracker Alert ID:  1004365
SecurityTracker URL:  http://securitytracker.com/id/1004365
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 24 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.06.04
Description:   Several vulnerabilities were reported in the Pharao web forum software. A remote user can determine the installation path, send anonymous messages, gain access to user and administrator accounts, and read files on the system.

Frog-m@n reported these bugs in a report (in French language) available at:

http://www.ifrance.com/kitetoua/tuto/Pharao.txt

A remote user can access the 'admin.php' script with a malformed cookie (e.g., pharao06=nimportequellevalor) to cause the system to return an error message that discloses the physical path of the CGI software.

A remote user can access user and administrator accounts by setting the appropriate cookies. To access your account but with administrator privileges, the following type of cookie can be set (with the 'value' portion Base64 encoded):

"pharao06","YOURNICK;YOURNAME;;;;classic_blue;en_GB;english;5"

To access another user's account, the following type of cookie can be set (with the 'value' portion Base64 encoded):

"pharao06","ANICK;HISNAME;;;;classic_blue;en_GB;english;2"

A remote user can send a specially crafted request using the 'filelist.php' script to view any file on the same partition that is readable by the web server. Some demonstration exploit URLs are provided:

/filelist.php?op=view&ttitle=No%20Security&tcontent=admin
/filelist.php?op=view&ttitle=No%20Security&tcontent=../../../../..

A remote user can send anonymous messages using the 'message.php' script by setting the 'authorid' field to an arbitrary value. A remote user can also send messages impersonating another user on the system by setting the 'authorid' field to the other user's nickname.

A remote user can also conduct cross-site scripting attacks against Pharao users. The 'message.php' script allows remote user to inject scripting code in a new message. When the message is viewed by a target user, the scripting will be executed by the target user's browser. The code will execute in the security context of the site running Pharao and will be able to access the target user's cookies associated with that site. A demonstration exploit URL is provided:

message.php?mid=&mdestinationid=DESTINATAIRE&msubject=SUJET&mcontent=MSG&op=update&update=create&submit=speichern

Impact:   A remote user can determine the installation path. A remote user can send anonymous messages on the system or can send messages posing as another user. A remote user can gain access to user and administrator accounts or can access their own account with administrative privileges. A remote user can read files that are readable by the web server and are located anywhere on the same partition on the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  pharao.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Security holes : Linker, Pharao




Product1 :
Linker
http://enproject.codelib.co.kr

Versions :
2.0

Problems :
- Reading in HD
- Informations recovery (passwords, DBHOST, 
DBUSER,...)

Exploits :
- /imageview.php?uid=../function/pass_info.php or 
/imageview.php?uid=../function/base_info.php 
- Set cookies :
"admin_login","1"
"linker_key1",$adminid (pass_info.php)
"linker_key2",$adminpw (pass_info.php)

More details in french :
http://www.ifrance.com/kitetoua/tuto/Linker.txt

translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FLinker.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

*****************************************************

Product2 :
Pharao
http://pharao.sourceforge.net

Versions :
0.06.04

Problems :
- XSS
- Path disclosure
- Sending msg anonymously
- Access to users/admins accounts
- Reading in HD
- 
- 

Exploits :
-Set 
cookie "pharao06","YOURNICK;YOURNAME;;;;classic
_blue;en_GB;english;5" with value base64 crypted

- Set 
cookie "pharao06","ANICK;HISNAME;;;;classic_blue;e
n_GB;english;2"

- /filelist.php?op=view&ttitle=No%
20Security&tcontent=admin

etc...

More details in french :
http://www.ifrance.com/kitetoua/tuto/Pharao.txt

translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FPharao.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools

frog-m@n

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC