Published: 16/07/2003 Released: 16/07/2003 Name: Elite News Affected System(s): All versions Severity: High Platform(s): Windows and Unix Issue: Security holes enable attackers to take administrative control Original Advisory: http://www.zone-h.org/en/advisories/read/id=2710 Author: Trash-80 - dpangalos@linuxmail.org Description ************ Zone-h Security Team has discovered a serious security flaw in Elite News Ver.1.0.0.0-1.0.0.3 Beta. Elite News is a news publishing system which allows you to easily post news and reviews without a MySQL database. Details ******** 1.Direct access to stats.php file allows you to see Elite News administrator's username. ex: www.example.com/elitenews/stats.php 2.Fill in the administrator's username in login.html. Leave the password field blank. Click "Login". ex: www.example.com/elitenews/login.html 3.Then directly access newpost.php to post a message as an Elite News administrator. Furthermore ************ login.php sets a cookie in your temporary internet files with the administrator's username. Cookie content: /elitenews ex: UserAdmin www.example.com/elitenews/ 1536 2873507712 29576153 2673509856 29576139 * Elitenews 1 www.example.com/elitenews/ 1536 2873507712 29576153 2673509856 29576139 * newpost.php "reads" this cookie and thus it's possible to see the "Send" and "Reset" buttons which are not shown if you don't login with the administrator's username. (Bogus) PHP Code/Location: /elitenews/newpost.php: ------------------------------------------------------------------------ <?php $admin = $HTTP_COOKIE_VARS["Elitenews"]; if ($admin != "") { echo "<input <input type=submit value=Send><input type=reset value=Reset>"; } ?> ------------------------------------------------------------------------ It's also possible to access other Elite News files like modify.php, editordelete.php etc... Solution: ********* The vendor has been contacted and a patch is not yet produced. Trash-80 - www.zone-h.org operator http://www.zone-h.org
