[26374] in bugtraq
Easy Guestbook Vulnerabilities
daemon@ATHENA.MIT.EDU (Arek Suroboyo)
Sun Jul 28 04:20:02 2002
Message-ID: <20020727195855.6886.qmail@web21108.mail.yahoo.com>
Date: Sat, 27 Jul 2002 12:58:55 -0700 (PDT)
From: Arek Suroboyo <ar3su@yahoo.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-424191439-1027799935=:6080"
--0-424191439-1027799935=:6080
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
AresU Advisory
19/July/2002
Easy Guestbook Vulnerabilities
Severity : High (Possible to edit member
homepage)
Systems Affected: Easy Guestbook v1.0
Vendor URL : http://www.easyscripts.co.uk
Vuln Type : It does not use Access Validation to
delete the entries and login as Admin Control.
Author : AresU
Greetz to : Bosen, Tioeuy, eF73, SakitJiwa,
nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang
Adv.URL :
http://bosen.net/advisories/aresu-adv.002.txt
Summary
=======
1) Everyone can delete the entries and login as Admin
Control.
2) Everyone can reconfigure Guestbook when they open
config.cgi and change Admin Password.
Solution
========
1) Add Access Validation on "delete_message" function
and "start" function.
Add admin.cgi with this code:
sub login_verify
{
chomp($FORM{'login_username'});
chomp($FORM{'login_password'});
if (!($FORM{'login_username'} eq $username &&
$FORM{'login_password'} eq $password))
{
dienice("Sorry, but you have entered an
invalid username or password. Please press the 'back'
button on your browser to return to the Login
Screen.");
}
}
And on the first line of "delete_message" function
and "start" function add this:
&login_verify;
And on the "start" function add this code in the
<FORM>:
<input type="hidden" name="login_username"
value="$FORM{'login_username'}">
<input type="hidden" name="login_password"
value="$FORM{'login_password'}">
2) Delete config.cgi after you finish configure the
Guestbook.
Acknowledgments
===============
Vulnerability discovery, exploit code, and advisory by
AresU
Vendor Response
===============
Vendor has been contacted for about 10 days but they
still didn't fix yet.
Exploit Code
============
Change action in the html form.
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
--0-424191439-1027799935=:6080
Content-Type: application/x-zip-compressed; name="easyguestbook.zip"
Content-Transfer-Encoding: base64
Content-Description: easyguestbook.zip
Content-Disposition: attachment; filename="easyguestbook.zip"
UEsDBBQAAAAIAI8S/CyEH+FLWgIAABgEAAASAAAAZWFzeWd1ZXN0Ym9vay5o
dG1sdVPbbtswDH33V3DeywY4ttthWOelAdL1ghW9YU0L7KmQLSYWIkuGRCV1
v36042xY0elFEi0eHvIcT99NJhCdCd/BRUBPpbVreAzaoBOl0ooUeoiiU0EI
wyrgMugODr4mcJjnhxDd4wadoq7/dI1ShQY+3FnvVakRyIJEjZxMNQIacoz3
kZM6T9h4mC+XWBHKAiIY1ysum4M0ZwKPaKR18PDzqoCaqC2ybLvdpsiPfeVU
Sz6tbBrWEPXkYdG1yHx+EEjLDRhLEDzCvKrQe3gUWklBypq3CYIwErRdKQOC
OcqGD98tf7M6hWgeqGYqwyzmDv0DRBcOkV56sAJOrEeTwEJZDF0CeP7lUwL3
Yq3oUm1FAkY1cp7AOWfW58p5SmCuV5ZHWDcJXLv0TkhhVlxHblLud6gztlz2
2KlByoTcKG97splgpDDhQMp6pPRM0aJWHrwNrkKorETg65IpowzV0LbQ0AbX
Mhrc3lz9iiaTGc94WlOj+TAtrez6vT6YvaXGK3tMM37Hr7lCAw3ycORxfHd7
v4hBVH2143ikv1F8b7LVHo674NGm1UrFDHC60+HGpmCXcDZKwaP/U76AqTJt
ICCW9zgmfKYYNkIHvsRgRMP7MpihaAxevfD9M0P/k+VD2ai/eWPVa/aFWOEe
ZeeJp2Yf9dTpHpxNMOlxCzjIW/oGQ2ApGqW7Avg/YOXEGN2iWtVUQGm1jGfT
0s2mteM2b1s0O08pT27nwv91+IrriajWvcmG7D3VkoNPZJ/ELjgyray2roD3
R3meH+VvUmLJsl6z4bCXPBs98BtQSwECFAAUAAAACACPEvwshB/hS1oCAAAY
BAAAEgAAAAAAAAABACAAtoEAAAAAZWFzeWd1ZXN0Ym9vay5odG1sUEsFBgAA
AAABAAEAQAAAAIoCAAAAAA==
--0-424191439-1027799935=:6080--
