Overview

PTNews v1.7.7 Access to administrator functions without authentification
Discovered on 2003, April, 7th
Vendor: PTNews

PT News is a simple news system. This is lite solution for sites without SQL database support. Whole system is written in PHP (PHP3 and PHP4 support).
A vulnerability allows to access to the administrator functions, without authentification.

Risk

Exploit easiness
Vulnerability spreading
Impact
Risk

Details

In PTNews v1.7.7, administrator functions are located in the file news.inc
Here is the interesting piece of code :

//handle administrator functions

$files = getFileNames($newsdir);
$context = "";

if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {
   createNewsEntry($newsdir);
   if ("replace" == $HTTP_POST_VARS[action] &&
      in_array($HTTP_POST_VARS[file], $files)) {
      deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);
   }
   makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[delete])) {
   if ("all" == $HTTP_GET_VARS[delete]) {
      $context = deleteAll($newsdir,$config[newssuff]);
   } else {
      if (in_array($HTTP_GET_VARS[delete], $files))
         deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);
   }
   makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[edit]) &&
      in_array($HTTP_GET_VARS[edit], $files)) {
   $context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);
}


As you can see, it can handle :

• News creation
• News replacement
• News deletion
• News editing

Now, the file "news.inc" is included in the index.php file as followed :

<html>
<head>
<title>PTNews Site</title>
</head>
<body>
<?
   $newsdir = "news/";
   include ("news.inc");
   // handle CGI parameters
   if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;
   else $pageNum = $HTTP_GET_VARS[pageNum];
   if (!isset($HTTP_GET_VARS[topic])) {
       $topic="";
   } else {
      $topic=$HTTP_GET_VARS[topic];
   }
   $extra="";
?>
etc...


Bingo ! File "news.inc" is needed for the public access file "index.php", for example for the "searchNews" or "displayNews" functions. But as far as news.inc includes administrators functions, everybody can access the administrator function...

Exploit

Ok, that's really easy. You just have to send a specific URL to access the admin functions.

Solution

The solution is to separate the standard news functions and the administrator news fonctions.
Standard news functions must go to news.inc
Administrator news fonctions must go to admin.inc

The vendor has been informed and solved the problem. Download ptnews 1.7.8

Discovered by

Arnaud Jacques aka scrap
webmaster@securiteinfo.com

Tags

AUTHENTIFICATION SITE WEB RECHERCHE DE VULNERABILITÉS

Inscription à notre lettre d'information

Inscrivez-vous à notre lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.

SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...