'Pointter PHP Content Management System' Unauthorized Privilege

看板Bugtraq作者mark.時間15年前 (2010/12/17 03:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

'Pointter PHP Content Management System' Unauthorized Privilege = Escalation (CVE-2010-4332) Mark Stanislav - mark.stanislav@gmail.com I. DESCRIPTION --------------------------------------- A vulnerability exists in the 'Pointter PHP Content Management System' = authentication system which allows for administrative privileges by = crafting two specific cookies with arbitrary values. =20 II. TESTED VERSION --------------------------------------- 1.0 III. PoC EXPLOIT --------------------------------------- Using whatever method you prefer, generate 'auser' and 'apass' cookies. = The values of each cookie are irrelevant; the mere presence of the = cookies provide the administrative privilege. IV. NOTES=20 --------------------------------------- * Here's a snippet of the final reply that I received from the vendor: "Of course, it could be made safer and we know how to do it. But we have = designed the softwares so that renaming admin folder gives us less work. = As you know, the users should know the security issues as they will run = this and not us." V. SOLUTION --------------------------------------- * There is no update released at this time. Avoidance of this software = is recommended until an updated version is available. VI. REFERENCES --------------------------------------- http://www.pointter.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2010-4332 = http://www.uncompiled.com/2010/12/pointter-php-content-management-system-u= nauthorized-privilege-escalation-cve-2010-4332/ VII. TIMELINE --------------------------------------- 11/23/2010 - Initial vendor disclosure e-mail sent 11/24/2010 - Reply from vendor informing me that my 'software = manipulation' was illegal 11/24/2010 - Response to vendor regarding their accusation of illegal = actions on my part 11/24/2010 - Reply from vendor stating that by releasing this = information, I am committing a crime 11/24/2010 - Response to vendor that their software is CC-licensed and = that their accusations are unfounded 11/24/2010 - Rebuttal from vendor again affirming I was breaking the law = by disclosing this vulnerability 11/24/2010 - Reply to vendor again stating my intent to help the company = and provide responsible disclosure 11/24/2010 - Response from vendor stating they would no longer respond = and explained their stance on fixing this issue 11/24/2010 - Final reply to vendor stating that I was happy to work with = them on a delayed disclosure if desired 12/15/2010 - Public disclosure=

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 mark. 的文章

文章代碼(AID): #1D2carkv (Bugtraq)