ptnews.txt

2003-04-22T00:00:00
ID PACKETSTORM:31043
Type packetstorm
Reporter Arnaud Jacques
Modified 2003-04-22T00:00:00

Description

                                        
                                            `PTNews v1.7.7 - Access to administrator functions without authentification  
  
  
.oO Overview Oo.  
PTNews v1.7.7 - Access to administrator functions without authentification  
Discovered on 2003, April, 7th  
Vendor: PTNews - http://www.openbg.net/ptsite/  
  
PT News is a simple news system. This is lite solution for sites without SQL   
database support. Whole system is written in PHP (PHP3 and PHP4 support).  
A vulnerability allows to access to the administrator functions, without   
authentification.   
  
  
.oO Details Oo.  
In PTNews v1.7.7, administrator functions are located in the file news.inc  
Here is the interesting piece of code :  
  
//handle administrator functions  
  
$files = getFileNames($newsdir);  
$context = "";  
  
if ($HTTP_POST_VARS[submitButton] == $lang[frm_btn]) {  
createNewsEntry($newsdir);  
if ("replace" == $HTTP_POST_VARS[action] &&  
in_array($HTTP_POST_VARS[file], $files)) {  
deleteNewsEntry($newsdir.$HTTP_POST_VARS[file]);  
}  
makeNewsRSS($newsdir);  
} elseif (isset($HTTP_GET_VARS[delete])) {  
if ("all" == $HTTP_GET_VARS[delete]) {  
$context = deleteAll($newsdir,$config[newssuff]);  
} else {  
if (in_array($HTTP_GET_VARS[delete], $files))  
deleteNewsEntry ($newsdir.$HTTP_GET_VARS[delete]);  
}  
makeNewsRSS($newsdir);  
} elseif (isset($HTTP_GET_VARS[edit]) &&  
in_array($HTTP_GET_VARS[edit], $files)) {  
$context = editNewsEntry($newsdir,$HTTP_GET_VARS[edit]);  
}  
  
  
As you can see, it can handle :   
- News creation  
- News replacement  
- News deletion  
- News editing  
  
  
Now, the file "news.inc" is included in the index.php file as followed :  
  
<html>  
<head>  
<title>PTNews Site</title>  
</head>  
<body>  
<?  
$newsdir = "news/";  
include ("news.inc");  
// handle CGI parameters  
if (!isset($HTTP_GET_VARS[pageNum])) $pageNum = 1;  
else $pageNum = $HTTP_GET_VARS[pageNum];  
if (!isset($HTTP_GET_VARS[topic])) {  
$topic="";  
} else {  
$topic=$HTTP_GET_VARS[topic];  
}  
$extra="";  
?>  
etc...  
  
  
Bingo ! File "news.inc" is needed for the public access file "index.php", for   
example for the "searchNews" or "displayNews" functions. But as far as   
news.inc includes administrators functions, everybody can access the   
administrator function...  
  
.oO Exploit Oo.  
Ok, that's really easy. You just have to send a specific URL to access the   
admin functions.  
  
Function / URL :  
Create a news / Not an URL : only posted datas. Not impossible to exploit :)  
Replace a news / Not an URL : only posted datas. Not impossible to exploit :)  
Delete all news / http://www.victim.com/ptnews/ index.php?delete=all  
Edit a news / Too difficult to exploit  
  
.oO Solution Oo.  
The solution is to separate the standard news functions and the administrator   
news fonctions.  
Standard news functions must go to news.inc  
Administrator news fonctions must go to admin.inc  
  
The vendor has been informed and solved the problem. Download ptnews 1.7.8 at:  
http://www.openbg.net/ptsite/  
  
  
.oO Discovered by Oo.  
Arnaud Jacques aka scrap  
webmaster@securiteinfo.com  
http://www.securiteinfo.com  
`