Poster Input Validation Bug Allows Remote Authenticated Users to Gain Administrative Privileges
SecurityTracker Alert ID: 1006757|
SecurityTracker URL: http://securitytracker.com/id/1006757
(Links to External Site)
Updated: Feb 28 2004|
Original Entry Date: May 14 2003
Modification of user information|
Exploit Included: Yes |
A vulnerability was reported in Poster. A remote authenticated user can gain administrative privileges on the application.|
It is reported that the software does not filter certain characters from user-supplied input. A remote authenticated user can submit a specially crafted e-mail address when changing their account details to cause the system to grant the user administrative privileges:
Because of the way in which the resulting information is written to the mem.php file, the trailing 'admin' string will be interpreted by the 'index.php' file as meaning that the user has 'admin' privileges.
A remote authenticated user can gain administrative access on the application.|
No solution was available at the time of this entry.|
Vendor URL: x.faction.nu/scripts.php?file=poster (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: [VulnWatch] Vulnerability in ' poster version.two'|
This is my first time posting a vulnerability since most of my private
research has been done on very small projects, many of which were
Anyways, down to the vulnerability:
Poster version.two privilege escalation:
Poster version.two is an up and coming php news posting system which has
sites, but due to its growing popularity this may soon change.
If a user has their account type set to 'normal' by the administrator, then
they cannot edit other peoples accounts, nor can they edit other peoples
posts, they are harmless to the site.
Sadly, there is a fairly dangerous vulnerability within the 'index.php' file
in the 'edit account' section of the code, which places data from the
username, password and email address fields straight into the 'mem.php'
(user password and privileges) file.
A normal 'mem.php' file looks like this:
Where James has an administrator account, and Jack doesn't.
The normal user, Jack, could decide to change his account details to:
Notice the '|admin|' appended to the end of the address.
When Jack saved his details his account would appear as:
The 'index.php' file would take the first four parameters as the account
details and type, then seeing that parameter four was '|admin|', it
would assign Jack administrator privilidges.
Jack could then delete all the posts and accounts on the site when he next
Although I do not know PHP very well, this is a very common vulnerability,
I have found, and this should be addressed within all sorts of applications
as soon as possible!
Thank-you for reading this,
I am 16 years old, I study at Christ Church high school, in London, England,
I am taking my GCSEs this year.
My personal interests are Visual Basic and 16 bit assembly language
I usually don't release vulnerabilites unless they need wide-spread
Please feel free to contact me at:
Express yourself with cool emoticons http://www.msn.co.uk/messenger