Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

raq2.admin.exploit.txt

🗓️ 31 Jan 2000 00:00:00Reported by SkirkhamType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

Admin password change exploit via frame manipulation without proper validation.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
` To replicate this bug you must have Site Administrator access to one of  
the accounts on the server. When you go into the Site Management for a  
site  
and select the User Management option, you get a list of the usernames  
that  
have been setup for that account. The green pencil edit icon is a command  
to execute the JavaScript function modify() and it passes the username as  
the only variable into the function. To properly execute a function from  
the Location Bar in Netscape, the HTML page has to be the top frame. I  
simply opened the userList.html file in a new frame. When you type  
"javascript: modify( 'admin' );" into the Location Bar, the modify()  
function returns a URL. The URL returned when accessing it from my site  
is  
"http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?userna  
me=admin&group=site151&949015199230". This loads a standard Modify User  
page for the "admin" account. However, when you attempt to change this  
information by clicking the "Confirm Modify" button, it returns a  
JavaScript  
error because the function that it calls upon is dependant on the frame  
layout of the Site Management page. To overcome this issue I simply  
downloaded two HTML files to my hard disk. One is the index.html file,  
other other is the right.html file. I basically changed the index.html  
file  
to call upon the URL's on my site and had it load the right.html file  
locally off my hard disk. I then changed the right.html file to load the  
URL's on my site but changed the "main" frame source to  
"http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?userna  
me=admin&group=site151&949015199230" - the Modify User page for the  
"admin"  
account. It then loads up with all the correct frames AND the Modify User  
page for the "admin" account. I very simply just enter a new password for  
the user and click "Confirm Modify" and presto! The admin password is  
changed allowing me access to the Server Management page showing all the  
server's clients, IP addresses, domain names, and ability to access all  
the  
client's contact people, telephone numbers, usernames, and passwords. I  
also could delete any sites/files or downloaded any sites/files. I then  
had  
full access via FTP to the site showing the root directory of the server,  
and the ability to delete any evidence via the /log/ directory.  
  
I hope this answers any of the questions you had, and the whole  
process  
took me under 5 minutes!  
  
-- snip snip --  
  
the users email address is [email protected] if you have any  
questions about it...  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
31 Jan 2000 00:00Current
7.4High risk
Vulners AI Score7.4
admin account accesspassword modificationjavascript exploitsite management vulnerabilityframe manipulation techniques.
30
.json
Report