[ SOURCE: http://www.secureroot.com/security/advisories/9735755463.html ]

News Update Advisory + Exploit - Morpheus[bd]



********************************

Morpheus[bd]

www:    www.brightdarkness.de

mailto: morpheusbd@gmx.net

********************************



Program name: News Update

Version: 1.1

Vendor/Programmer: CGI Script Center (http://cgi.elitehost.com)

Short Info: Changing present passwords for the cgi-program without knowing the former password



*******************

 About News Update

*******************



From the "News Update" documentation:



[...]

"News Update was designed specifically for updating websites with

 a minimal effort.  Our goal was to allow the user the ability to

 quickly and efficiently update pages of data without having to

 open countless pages and creating pages and pages of new text,

 graphics, and HTML, only to have to delete them in a few days."

[...]



********

 Impact

********



A password protection should prevent non authorised users from adding or

deleting news to the page.

It is possible to circumvent this password protection and to assign a new

password - which allows malicious users to modify your news-page.



*****

 Bug

*****



Shortly after the initialisation of some variables the following code

is used to interprete the input of the user...



----------------snip--8<--snip-------------------



if ($INPUT{'parse'}) {&parse; }

elsif ($INPUT{'setpwd'}) {&setpwd; }

else {&display; }



----------------snap--8<--snap-------------------



If we supply the "setpwd" parameter the function "setpwd" is called,

which should change the password...

Both parameters - used in setpwd - "pwd" and "pwd2" contain the new password -

"pwd2" is used as a confirmation for the first one, "pwd". The old - original - password is NOT needed.



----------------snip--8<--snip-------------------

(a shortened version of setpwd)



sub setpwd {



print "Content-type: text/html\n\n";

unless ($INPUT{'pwd'} && $INPUT{'pwd2'}) {

   [...] FAILURE [...]

exit;

}



if ($INPUT{'pwd'} && $INPUT{'pwd2'}) {

    if ($INPUT{'pwd'} ne $INPUT{'pwd2'}) {

  [...] FAILURE [...]

exit;

}

}



[...]



open (PASSWORD, ">$passfile/password.txt");

	print PASSWORD "$newpassword";

	close (PASSWORD);



print<<EOF;

<HTML><HEAD><TITLE>News Update: Password Success!</TITLE></HEAD><BODY

[...]

exit;

}

----------------snap--8<--snap-------------------



As you can see NO checks are performed for the old password. The user just needs to

supply the new password without knowing the original one.



**************

 Exploit code

**************



A sample exploit written by me is attached (at least it should be attached ;-)) to the mail or package.



***************

 Vendor status

***************



Informed.



Morpheus[bd]

www:    www.brightdarkness.de

mailto: morpheusbd@gmx.net