[35569] in bugtraq
Sanity check in Centre
daemon@ATHENA.MIT.EDU (Manip)
Fri Jul 2 19:26:11 2004
Message-ID: <000b01c45f10$cbd92e60$6400000a@UTServer>
From: "Manip" <Bug@thelostsite.co.uk>
To: <BUGTRAQ@securityfocus.com>
Date: Thu, 1 Jul 2004 03:12:00 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
Summary: [www.miller-group.net] The Miller Group, Inc. announces the release
of Centre, a free student information system for public and non-public
schools. Centre is a web-based, open source, student management product with
features that include scheduling, grade book, attendance, eligibility,
transcripts, and more. And, of course, student and employee information
screens are critical components of Centre.
Version: 1.0
Exploit: There is no sanity checking anywhere in Centre. In effect an
unprivileged user can change administrator options and could lead to
privilege escalation. This includes but is not limited to creating new
accounts:
http://demo.miller-group.net/index.php?modfunc=create_account&staff&username=admin&staff_id=new
There is also improper checking in the modules.php file this could allow PHP
script injection. No validation is done on the module path.
Fix: Disable centre until an update is released (the problems are too
extensive).
