Geoblog v1 administrator bypass

2007.07.31
Credit: joseph
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-4047
CWE: N/A


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

Geoblog v1. A vulnerability exists in geoblog version 1 (latest) that allows users to delete other peoples comments without administration credentials. It works on blogs too. Users can delete blogs without user credentials. The reason why is because the listcomments.php and deletecomments.php files fail to include checks for authenticity. The following proof of concept is as follows: www.example.com/blog/admin/listcomment.php?id=16 The ID being the blog ID obtained from the index. Using this we can go here... http://www.truegirlonline.net/blog/admin/deletecomment.php?id=16 And delete comments without any admin sosay. And the blog deletion. http://www.example.net/blog/admin/deleteblog.php?id=15 The fix presently would be to add checks for authenticity like the other files. if($_SESSION['login'] != "user_valid_and_logged_in") { header("Location: ../index.php"); }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top