[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : CGI News Update 1.1 administration password bug

Title: CGI News Update 1.1 administration password bug
Released by: Morpheus[bd]
Date: 27th October 2000
Printable version: Click here 
News Update Advisory + Exploit - Morpheus[bd]



********************************

Morpheus[bd]

www:    www.brightdarkness.de

mailto: morpheusbd@gmx.net

********************************



Program name: News Update

Version: 1.1

Vendor/Programmer: CGI Script Center (http://cgi.elitehost.com)

Short Info: Changing present passwords for the cgi-program without knowing the former password



*******************

 About News Update

*******************



From the "News Update" documentation:



[...]

"News Update was designed specifically for updating websites with

 a minimal effort.  Our goal was to allow the user the ability to

 quickly and efficiently update pages of data without having to

 open countless pages and creating pages and pages of new text,

 graphics, and HTML, only to have to delete them in a few days."

[...]



********

 Impact

********



A password protection should prevent non authorised users from adding or

deleting news to the page.

It is possible to circumvent this password protection and to assign a new

password - which allows malicious users to modify your news-page.



*****

 Bug

*****



Shortly after the initialisation of some variables the following code

is used to interprete the input of the user...



----------------snip--8<--snip-------------------



if ($INPUT{'parse'}) {&parse; }

elsif ($INPUT{'setpwd'}) {&setpwd; }

else {&display; }



----------------snap--8<--snap-------------------



If we supply the "setpwd" parameter the function "setpwd" is called,

which should change the password...

Both parameters - used in setpwd - "pwd" and "pwd2" contain the new password -

"pwd2" is used as a confirmation for the first one, "pwd". The old - original - password is NOT needed.



----------------snip--8<--snip-------------------

(a shortened version of setpwd)



sub setpwd {



print "Content-type: text/html\n\n";

unless ($INPUT{'pwd'} && $INPUT{'pwd2'}) {

   [...] FAILURE [...]

exit;

}



if ($INPUT{'pwd'} && $INPUT{'pwd2'}) {

    if ($INPUT{'pwd'} ne $INPUT{'pwd2'}) {

  [...] FAILURE [...]

exit;

}

}



[...]



open (PASSWORD, ">$passfile/password.txt");

	print PASSWORD "$newpassword";

	close (PASSWORD);



print<News Update: Password Success!





(C) 1999-2000 All rights reserved.