[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] 'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] 'Pointter PHP Content Management System' Unauthorized Privilege Escalation (CVE-2010-4332)
From: Mark Stanislav <mark.stanislav@xxxxxxxxx>
Date: Wed, 15 Dec 2010 13:02:13 -0500

'Pointter PHP Content Management System' Unauthorized Privilege Escalation
(CVE-2010-4332)
Mark Stanislav - mark.stanislav@xxxxxxxxx

I. DESCRIPTION
---------------------------------------
A vulnerability exists in the 'Pointter PHP Content Management System'
authentication system which allows for administrative privileges by crafting
two specific cookies with arbitrary values.

II. TESTED VERSION
---------------------------------------
1.0

III. PoC EXPLOIT
---------------------------------------
Using whatever method you prefer, generate 'auser' and 'apass' cookies. The
values of each cookie are irrelevant; the mere presence of the cookies provide
the administrative privilege.

IV. NOTES
---------------------------------------
* Here's a snippet of the final reply that I received from the vendor:
"Of course, it could be made safer and we know how to do it. But we have
designed the softwares so that renaming admin folder gives us less work. As you
know, the users should know the security issues as they will run this and not
us."

V. SOLUTION
---------------------------------------
* There is no update released at this time. Avoidance of this software is
recommended until an updated version is available.

VI. REFERENCES
---------------------------------------
http://www.pointter.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4332
http://www.uncompiled.com/2010/12/pointter-php-content-management-system-unauthorized-privilege-escalation-cve-2010-4332/

VII. TIMELINE
---------------------------------------
11/23/2010 - Initial vendor disclosure e-mail sent
11/24/2010 - Reply from vendor informing me that my 'software manipulation' was
illegal
11/24/2010 - Response to vendor regarding their accusation of illegal actions
on my part
11/24/2010 - Reply from vendor stating that by releasing this information, I am
committing a crime
11/24/2010 - Response to vendor that their software is CC-licensed and that
their accusations are unfounded
11/24/2010 - Rebuttal from vendor again affirming I was breaking the law by
disclosing this vulnerability
11/24/2010 - Reply to vendor again stating my intent to help the company and
provide responsible disclosure
11/24/2010 - Response from vendor stating they would no longer respond and
explained their stance on fixing this issue
11/24/2010 - Final reply to vendor stating that I was happy to work with them
on a delayed disclosure if desired
12/15/2010 - Public disclosure
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] i hate it when some one beats me to a bug
Next by Date: [Full-disclosure] 'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation (CVE-2010-4333)
Previous by thread: [Full-disclosure] Updated online binary planting exposure test continues operation
Next by thread: [Full-disclosure] 'Pointter PHP Micro-Blogging Social Network' Unauthorized Privilege Escalation (CVE-2010-4333)
Index(es):
- Date
- Thread