HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #82
From team Stealth Assassin
New advisory by : thaidn
Affected service(s): ultrashare
Severity [lmh] : medium
===== Problem =====
delete function in main.rb failed to check whether curUser is admin which allows any authorized user can delete account of any other users, including admin account by accessing an url like below:
main.rb?action=delete&user=admin
===== Impact =====
delete users account and files
===== Fix =====
change delete function in main.rb into something like:
def delete
unless isAdmin?
$stderr.print "User is not authorized to list all users"
@cgi.session['authorized'] = false
@cgi.session['error'] << 6
@cgi.redirect("#{@cgibin}/main.rb?action=loginForm")
end
(success, msg) = (deleteUser @cgi['user'])
if success
msgs = [msg]
$stderr.print msgs
else
errors = [msg]
$stderr.print errors
end
$stderr.print "Listing the users"
listAllUsers({:msgs => msgs, :errors => errors })
Rating
[0] I doubt that. It s finally checked in deleteUser, isnt it? first line: if admin? ... If Im wrong, plz repost adv