AresU Advisory 19/July/2002 Easy Guestbook Vulnerabilities Severity : High (Possible to edit member homepage) Systems Affected: Easy Guestbook v1.0 Vendor URL : http://www.easyscripts.co.uk Vuln Type : It does not use Access Validation to delete the entries and login as Admin Control. Author : AresU Greetz to : Bosen, Tioeuy, eF73, SakitJiwa, nimdA, Br0374l, FreshFirst, Algorithm, Mr.Padang Adv.URL : http://bosen.net/advisories/aresu-adv.002.txt Summary ======= 1) Everyone can delete the entries and login as Admin Control. 2) Everyone can reconfigure Guestbook when they open config.cgi and change Admin Password. Solution ======== 1) Add Access Validation on "delete_message" function and "start" function. Add admin.cgi with this code: sub login_verify { chomp($FORM{'login_username'}); chomp($FORM{'login_password'}); if (!($FORM{'login_username'} eq $username && $FORM{'login_password'} eq $password)) { dienice("Sorry, but you have entered an invalid username or password. Please press the 'back' button on your browser to return to the Login Screen."); } } And on the first line of "delete_message" function and "start" function add this: &login_verify; And on the "start" function add this code in the <FORM>: <input type="hidden" name="login_username" value="$FORM{'login_username'}"> <input type="hidden" name="login_password" value="$FORM{'login_password'}"> 2) Delete config.cgi after you finish configure the Guestbook. Acknowledgments =============== Vulnerability discovery, exploit code, and advisory by AresU Vendor Response =============== Vendor has been contacted for about 10 days but they still didn't fix yet. Exploit Code ============ Change action in the html form. __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com
Attachment:
easyguestbook.zip
Description: easyguestbook.zip
