Société de Sécurité Informatique - Audit Firewall Appliances
La sécurité informatique - La sécurité des informations

PTNews v1.7.7 Access to administrator functions without authentification


Overview


PTNews v1.7.7 Access to administrator functions without authentification
Discovered on 2003, April, 7th
Vendor: PTNews

PT News is a simple news system. This is lite solution for sites without SQL database support. Whole system is written in PHP (PHP3 and PHP4 support).
A vulnerability allows to access to the administrator functions, without authentification.

Risk


Exploit easiness etoile1etoile1etoile1etoile1etoile1
Vulnerability spreading etoile1etoile1etoile0etoile0etoile0
Impact etoile1etoile1etoile1etoile1etoile0
Risk etoile1etoile1etoile1etoile0etoile0

Details


In PTNews v1.7.7, administrator functions are located in the file news.inc
Here is the interesting piece of code :

//handle administrator functions

$files = getFileNames($newsdir);
$context = "";

if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {
   createNewsEntry($newsdir);
   if ("replace" == $HTTP_POST_VARS[action] &&
      in_array($HTTP_POST_VARS[file], $files)) {
      deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);
   }
   makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[delete])) {
   if ("all" == $HTTP_GET_VARS[delete]) {
      $context = deleteAll($newsdir,$config[newssuff]);
   } else {
      if (in_array($HTTP_GET_VARS[delete], $files))
         deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);
   }
   makeNewsRSS($newsdir);
} elseif (isset($HTTP_GET_VARS[edit]) &&
      in_array($HTTP_GET_VARS[edit], $files)) {
   $context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);
}


As you can see, it can handle :
Now, the file "news.inc" is included in the index.php file as followed :

<html>
<head>
<title>PTNews Site</title>
</head>
<body>
<?
   $newsdir = "news/";
   include ("news.inc");
   // handle CGI parameters
   if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;
   else $pageNum = $HTTP_GET_VARS[pageNum];
   if (!isset($HTTP_GET_VARS[topic])) {
       $topic="";
   } else {
      $topic=$HTTP_GET_VARS[topic];
   }
   $extra="";
?>
etc...


Bingo ! File "news.inc" is needed for the public access file "index.php", for example for the "searchNews" or "displayNews" functions. But as far as news.inc includes administrators functions, everybody can access the administrator function...

Exploit


Ok, that's really easy. You just have to send a specific URL to access the admin functions.

Function URL
Create a news Not an URL : only posted datas. Not impossible to exploit :)
Replace a news Not an URL : only posted datas. Not impossible to exploit :)
Delete all news http://www.victim.com/ptnews/index.php?delete=all
Edit a news Too difficult to exploit

Solution


The solution is to separate the standard news functions and the administrator news fonctions.
Standard news functions must go to news.inc
Administrator news fonctions must go to admin.inc

The vendor has been informed and solved the problem. Download ptnews 1.7.8

Discovered by


Arnaud Jacques aka scrap
webmaster@securiteinfo.com

Partagez cet article

Envoyer cet article par Email ! Imprimer cet article ! Exporter cet article en PDF ! Facebook Twitter Google Bookmarks

SecuriteInfo.com est une entreprise française de sécurité informatique. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...
Facebook SecuriteInfo.com
Twitter de SecuriteInfo.com
Github de SecuriteInfo.com
Calculs scientifiques distribués contre les maladies, équipe SecuriteInfo.com
Profil Virustotal de SecuriteInfo.com
© 2004-2018 - Tous droits réservés - SecuriteInfo.com