RNN Guestbook Bypass Administrative Authentication

2003-11-26T05:40:08
ID OSVDB:2873
Type osvdb
Reporter OSVDB
Modified 2003-11-26T05:40:08

Description

Vulnerability Description

RNN Guestbook's gbadmin.cgi script only asks for authentication when attempting to access the main admin page. If an attacker provides a specific QUERY_STRING with the gbadmin.cgi request, the script will not require authentication. This allows a remote attacker to have full administrative control over the guestbook system.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by disabling all access to the guestbook scripts until a patch or upgrade is made available.

Short Description

RNN Guestbook's gbadmin.cgi script only asks for authentication when attempting to access the main admin page. If an attacker provides a specific QUERY_STRING with the gbadmin.cgi request, the script will not require authentication. This allows a remote attacker to have full administrative control over the guestbook system.

Manual Testing Notes

  1. ~/gbadmin.cgi?action=change_adminpass - Change password
  2. ~/gbadmin.cgi?action=delete_guests - Delete ALL posts on the guestbook.
  3. ~/gbadmin.cgi?action=setup - Change setup information for guestbook.
  4. ~/gbadmin.cgi?action=colors - Modify the look and feel of the guestbook
  5. ~/gbadmin.cgi?action=change_automail - Change emailing information

References:

Secunia Advisory ID:10306 Generic Informational URL: http://packetstormsecurity.nl/0311-exploits/rnnguest12.txt Bugtraq ID: 9116