[[ TH 026 Inc. ]] SA #1 - Multiple vulnerabilities in PVote 1.5

2002-04-18T00:00:00
ID SECURITYVULNS:DOC:2808
Type securityvulns
Reporter Securityvulns
Modified 2002-04-18T00:00:00

Description

        Telhack Security Advisory - #1

Name: PVote 1.5b Impact: Minor (Content manipulation, Script admin) Date: April 18 / 2002


Daniel Nystr&ouml;m <exce@netwinder.nu>

I N F O PVote is a PHP voting system. It uses MySQL to hold all information about the system. Author has been notified of all three problems described in this advisory.

P R O B L E M A lot of the scripts in the PVote package do not properly check who the userare and therefore lets anyone add or delete polls at any time. Also, there exist a vulnerability that lets anyone change the Admin password or set it to null.

I M P A C T Minor, as content manipulation aint to bad after all. Just a little bit embarrasing.

E X P L O I T I N G These 'Add/Del' and 'Admin change pass' vulns. can all be exploited from a web browser by a basic GET requests that might look something like these:

ADD http://isp.net/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4 =bad Question is the question:) o1-o4 are the options.

DEL http://isp.net/pvote/del.php?pollorder=1 Pollorder is the poll 'id' number. It can be found by stepping thru poll.php to find the id as shown below: http://isp.net/pvote/poll.php?pollorder=1 and then increase pollorder (pollorder=2) and so on until you find what you want.

CHANGE ADMIN PASS http://isp.net/pvote/ch_info.php?newpass=owned&confirm=owned Again we are allowed to change stuff without having to authenticate in anyway. If we just wanna fuck with the admin we may just enter this: http://isp.net/pvote/ch_info.php As it sets both newpass and confirm to "" it sets the pass to "". This thing could have been avoided by just adding a line of code that required you to submit the old pass to be able to change.

F I X E S Many of the scripts in this package needs some kind of secure authenticationmethod that stops users from behaving badly >:) and I think it is up to the author(s?) to fix that. But until then, I would recommend removing the package.

/Daniel Nystr&ouml;m a.k.a excE @ Telhack 026 Inc.

http://excelsi0r.darktech.org/~exce/ http://www.telhack.com <- page temporarily down.