SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Ultimate PHP Board Vendors:   Hoeppner, Tim
Ultimate PHP Board Counter Error in 'register.php' Lets a Remote User Register With an Account Named 'admin'
SecurityTracker Alert ID:  1005136
SecurityTracker URL:  http://securitytracker.com/id/1005136
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 25 2002
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0b !!FIXED
Description:   A vulnerability was reported in Ultimate PHP Board (UPB). A remote user could spoof the administrator account.

It is reported that the system permits two accounts with the name 'admin' to exist. The original 'admin' account, which is set up during installation, will have 'Admin' privileges. Also, a remote user can register an account named 'admin' that will have ordinary 'member' privileges. The remote user with this account cannot administer the account, but could post or send messages that will appear to come from the valid 'admin' account.

[Editor's note: The vulnerable version is called, oddly enough, '1.0b !!FIXED'. According to this report, it is not fixed with regards to this vulnerability.]

Impact:   A remote user could register an ordinary member account with the name 'admin' to send spoofed messages appearing to originate from the administrator.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following solution (apparently from ewgenij_s at gmx.de):

in register.php change

$c = count($d)-2;

with

$c = count($d)-1;

Vendor URL:  www.webrc.ca/php/upb.php (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] `admin' bug in upb



product: Ultimate PHP Board (UPB) 
version: Public Beta 1.0b !!FIXED 
vendor: http://www.webrc.ca/php/upb.php
status: notified

------------------------------------------------
summary: upb allow to have two `admin' accounts, 
but witn different access levels. its may 
aply with spoofing attacks. 
------------------------------------------------
 i have been register `admin' account within install procedure. it is have 
`Admin' permissions. later i was register `admin' again with normal way (via 
register.php) and upb dont output some error. but THIZ `admin' have a `member' 
permissions. 

solution (from ewgenij_s@gmx.de)
---------

in register.php change 

      $c = count($d)-2; 

      with 

      $c = count($d)-1; 


regardz,
GooDWiN /tF0KP
----------------------------
www.security-ru.net

___________________________
origin: i'm not a lame,
         not yet a hacker ))


----
  http://www.rambler.ru


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC