AresU Advisory 18/July/2002 Easy Homepage Creator Vulnerability Severity : High (Possible to edit member homepage) Systems Affected: Advanced Easy Homepage Creator v1.0 Easy Homepage Creator v1.0 Vendor URL: http://www.easyscripts.co.uk Vuln Type : It does not use Access Validation to edit homepage Author : AresU Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang Adv.URL : http://bosen.net/advisories/aresu-adv.001.txt Summary ======= Everyone can change another user homepage without Access Validation easily. Solution ======== Add Access Validation on "print_html_to_file" function. Add edit.cgi with this code: sub login_check { if ($FORM{'username'} eq "" or $FORM{'password'} eq "") { dienice("Sorry, but you haven't entered a Username or Password. Please press the 'back' button on your browser to return to the login screen."); } $FORM{'username'} =~ tr/A-Z/a-z/; $FORM{'password'} =~ tr/A-Z/a-z/; open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro") || dienice("Sorry, but you have entered an invalid username or password. Please press the 'back' button on your browser to return to the login form."); @DATA = <PROFILE>; chomp(@DATA); if (!($FORM{'username'} eq "@DATA[1]" && $FORM{'password'} eq "@DATA[2]") { dienice("Sorry, but you have entered an invalid username or password. Please press the 'back' button on your browser to return to the Login Form and try logging-in again."); } close(PROFILE); open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat") || dienice("Configuration Error! Unable to open ban_users.dat file for reading. Please contact the webmaster of this web site. The following error occured : $!"); @check = <CHECK_USERNAME>; chomp(@check); close(CHECK_USERNAME); foreach $line (@check) { if ($line =~ /$FORM{'username'}/gi) { dienice("Sorry, but you have been banned from using the Homepage Creator. You should have been sent an email explaining why you have been banned from using the Homepage Creator. For more details contact the webmaster of this web site."); } } } sub dienice { my($msg) = @_; print <<EndHTML; <html> <head> <title>Homepage Login Error</title> </head> <body bgcolor="$bg_colour" link="$hyperlinks_colour" vlink="$hyperlinks_colour" alink="$hyperlinks_colour"> <p align="center">$logo_url $banner_url</p> <hr color="$linebreakcolour"> <p align="left"><b><font face="Times New Roman" color="$title_colour" size="5"> Homepage Login Error</font></b></p> <p align="left"><font face="Verdana" size="2" color="$field_text_colour"><b>$msg</b></font></p> <hr color="$linebreakcolour"> <p align="center"><font size="1" face="Verdana" color="$field_text_colour"><b>) Copyright <a href="http://www.easyscripts.co.uk";> Easy Scripts Archive</a> 2001. All Rights Reserved.</b></font></p> </body> </html> EndHTML exit; } And on the first line of "print_html_to_file" function add this: &login_check; Acknowledgments =============== Vulnerability discovery, exploit code, and advisory by AresU Vendor Response =============== Vendor has been contacted for about 10 days but they still didn't fix yet. Exploit Code ============ Change action in the html form. __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
Attachment:
easyhomepage.zip
Description: easyhomepage.zip
