HC's Capture the Flag website
CTF Contests
25C3-CTF

25C3-CTF final results

Advisory #84

From team Stealth Assassin

New advisory by : thaidn
Affected service(s): UltraShare
Severity [lmh] : medium

===== Problem =====

delete function in main.rb failed to check whether curUser is admin which allows any authorized user can delete account of any other users (but not admin account) by requesting an url like this:

main.rb?action=delete&user=innocent_user

===== Impact =====

delete users account and files

===== Fix =====
change delete function in main.rb into something like:

def delete
unless isAdmin?
$stderr.print "User is not authorized to list all users"
@cgi.session['authorized'] = false
@cgi.session['error'] << 6
@cgi.redirect("#{@cgibin}/main.rb?action=loginForm")
end
(success, msg) = (deleteUser @cgi['user'])
if success
msgs = [msg]
$stderr.print msgs
else
errors = [msg]
$stderr.print errors
end
$stderr.print "Listing the users"
listAllUsers({:msgs => msgs, :errors => errors })

Rating

[0] I cannot delete a user without admin rights in my version.

Go back

---

Impressum