Pointter PHP Content Management System Unauthorized Privilege Escalation

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Pointter PHP Content Management System Unauthorized Privilege Escalation vulnerability allows administrative privileges through crafted cookies. No update available. Avoid use

Reporter	Title	Published	Views	Family All 11
0day.today	Pointter PHP Content Management System Unauthorized Privilege	16 Dec 201000:00	–	zdt
CVE	CVE-2010-4332	22 Dec 201001:00	–	cve
Cvelist	CVE-2010-4332	22 Dec 201001:00	–	cvelist
Exploit DB	Pointter PHP Content Management System - Unauthorized Privilege Escalation	15 Dec 201000:00	–	exploitdb
EUVD	EUVD-2010-4304	7 Oct 202500:30	–	euvd
exploitpack	Pointter PHP Content Management System - Unauthorized Privilege Escalation	15 Dec 201000:00	–	exploitpack
NVD	CVE-2010-4332	22 Dec 201003:00	–	nvd
Packet Storm	Pointter PHP Content Management System 1.0 Privilege Escalation	15 Dec 201000:00	–	packetstorm
Prion	Authentication flaw	22 Dec 201003:00	–	prion
securityvulns	'Pointter PHP Micro-Blogging Social 'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332)	17 Dec 201000:00	–	securityvulns


                                                &#39;Pointter PHP Content Management System&#39; Unauthorized Privilege Escalation (CVE-2010-4332)
Mark Stanislav - [email protected]


I. DESCRIPTION
---------------------------------------
A vulnerability exists in the &#39;Pointter PHP Content Management System&#39; authentication system which allows for administrative privileges by crafting two specific cookies with arbitrary values.

 
II. TESTED VERSION
---------------------------------------
1.0


III. PoC EXPLOIT
---------------------------------------
Using whatever method you prefer, generate &#39;auser&#39; and &#39;apass&#39; cookies. The values of each cookie are irrelevant; the mere presence of the cookies provide the administrative privilege.


IV. NOTES 
---------------------------------------
* Here&#39;s a snippet of the final reply that I received from the vendor:
&#34;Of course, it could be made safer and we know how to do it. But we have designed the softwares so that renaming admin folder gives us less work. As you know, the users should know the security issues as they will run this and not us.&#34;


V. SOLUTION
---------------------------------------
* There is no update released at this time. Avoidance of this software is recommended until an updated version is available.


VI. REFERENCES
---------------------------------------
http://www.pointter.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4332
http://www.uncompiled.com/2010/12/pointter-php-content-management-system-unauthorized-privilege-escalation-cve-2010-4332/


VII. TIMELINE
---------------------------------------
11/23/2010 - Initial vendor disclosure e-mail sent
11/24/2010 - Reply from vendor informing me that my &#39;software manipulation&#39; was illegal
11/24/2010 - Response to vendor regarding their accusation of illegal actions on my part
11/24/2010 - Reply from vendor stating that by releasing this information, I am committing a crime
11/24/2010 - Response to vendor that their software is CC-licensed and that their accusations are unfounded
11/24/2010 - Rebuttal from vendor again affirming I was breaking the law by disclosing this vulnerability
11/24/2010 - Reply to vendor again stating my intent to help the company and provide responsible disclosure
11/24/2010 - Response from vendor stating they would no longer respond and explained their stance on fixing this issue
11/24/2010 - Final reply to vendor stating that I was happy to work with them on a delayed disclosure if desired
12/15/2010 - Public disclosure

01 Jul 2014 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.01708