header-logo
Suggest Exploit
vendor:
Easynews
by:
nuffsaid
7.5
CVSS
HIGH
Authentication Bypass
287
CWE
Product Name: Easynews
Affected Version From: 4.4.2000
Affected Version To: 4.4.2001
Patch Exists: YES
Related CWE: N/A
CPE: a:myupb:easynews
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Easynews <= 4.4.1 (admin.php) Authentication Bypass Vulnerability

Easynews doesn't properly check to ensure an administrator has been logged in with correct username and password information, it only checks if $admin[$en_login_id] == 'true'. Tested and working on version 4.4.0 and 4.4.1 (previous versions may also be affected) with register_globals = On, after bypassing the login check administrators have the option to edit config2.php (PHP code can be inserted then executed by visiting config2.php directly or any other script that includes config2.php) and other general settings.

Mitigation:

Ensure that authentication checks are properly implemented and that user input is properly validated.
Source

Exploit-DB raw data:

+-------------------------------------------------------------------------------------------
+ Easynews <= 4.4.1 (admin.php) Authentication Bypass Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: Easynews <= 4.4.1
+ Vendor ............: http://www.myupb.com/
+ Download ..........: http://fileserv.myupb.com/download.php?url=easynews4.4.1.zip
+ Description .......: "A news management system for your website."
+ Class .............: Authentication Bypass
+ Risk ..............: High (Authentication Bypass)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ Easynews doesn't properly check to ensure an administrator has been logged in with correct
+ username and password information, it only checks if $admin[$en_login_id] == "true".
+ 
+ Tested and working on version 4.4.0 and 4.4.1 (previous versions may also be affected)
+ with register_globals = On, after bypassing the login check administrators have the option
+ to edit config2.php (PHP code can be inserted then executed by visiting config2.php directly
+ or any other script that includes config2.php) and other general settings.
+ 
+ Vulnerable Code:
+ admin.php, line(s) 22: if(@$admin[$en_login_id] == "true") //admin is logged in successfuly
+ 
+ Proof Of Concept:
+ http://[target]/[path]/admin.php?action=users&en_login_id=0
+ http://[target]/[path]/admin.php?action=config&en_login_id=0
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-10-17]

Navigation

Suggest Exploit

Services By CQR