SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   NewsPHP (nphp.net) Vendors:   newsPHP Development Team
NewsPHP Input Validation Flaw Lets Remote Users Gain Administrator Privileges on the Application
SecurityTracker Alert ID:  1006912
SecurityTracker URL:  http://securitytracker.com/id/1006912
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2003
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 216
Description:   Peter Winter-Smith of Team UEC reported a vulnerability in NewsPHP. A remote user can obtain certain administrator privileges.

It is reported that a remote user can inject arbitrary information in the 'email address' field to gain low-level user administrator privileges.

The report indicates that the software does not filter a delimeter string '<~>' from user-supplied input before writing the information to the database file. A remote user can create a specially crafted e-mail address that includes this delimeter string to modify the database file to assign admin privileges to that e-mail address.

Vendor notification was reportedly returned by the vendor's e-mail system.

Impact:   A remote user can gain administrator privileges on the application.
Solution:   No solution was available at the time of this entry.

[Editor's note: The vendor's web site indicates that development of NewsPHP has stopped in favor of a new project, NewsPHP Advanced.

Vendor URL:  www.nphp.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Arbitrary Field Injection Vulnerability in NewsPHP v216



Arbitrary Field Injection Vulnerability in NewsPHP v216

Url: http://www.nphp.net

In NewsPhp it is possible to inject an arbitrary field into the 'email
address' field which would give a low-level user administrator privileges.
This would be accomplished as follows.
A regular user section of the 'nconf.php' file looks similar to the
following:

user<~>Admin<~>5f4dcc3b5aa765d61d8327deb882cf99<~>none@me.com<~>5<~>default
user<~>Guest<~>5f4dcc3b5aa765d61d8327deb882cf99<~>guest@guest.com<~>1<~>default

Whereby "<~>" is the delimiter for the data.
There doesn't appear to be any procedure to check that the 'email address'
field is not changed to include the delimiter and any arbitrary data fed
into it, so therefore the database could be altered in such a way that the
'1' (regular account) of the 'Guest' user, could be changed into a '5'
(admin account).

This could mean that the regular user could be ... A nuisance if nothing
else.

I personally could not get the script to run (I've seen it working on other
sites though) however I gave the code a thorough check before I released
this vulnerability, so apologies if anything here is not exact, however I'm
sure that it should be.

================================================================


Operating system and servicepack level:
Windows/Linux/Unix + PHP


Software:
NewsPHP v216


Under what circumstances the vulnerability was discovered:
Under a vulnerability search.


If the vendor has been notified:
The vendor does not appear to be supporting the product ... My email was
returned :o|


How to contact you for further information:
I can always be reached at peter4020@hotmail.com


Please credit this find to:
Peter Winter-Smith of Team UEC


Thank you for your time,
-Peter

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC