Summary
"phpSlash is a powerful CMS written in PHP that provides easy and flexible means to publish community-based websites. It currently boasts full HTML templates, an OO design, the ability to operate in a hosted environment."

An input validation flaw discovered in phpSlash can be used to gain elevated privileges by hijacking the administrator's account.

Credit:
The information has been provided by tobozo.

Details
Vulnerable Systems:
* phpSlash versions 0.7.1, 0.7.2, and 0.8.X

There is an input validation flaw in Author.class::saveProfile which can lead to gain root privileges by hijacking user account. In function saveProfile, author_id value is retrieved from the wrong source : user info in $ary is not compared to the author_id associated to the running session ...

Vulnerable Code:
<?
/* Code extracted from Author.class */
function saveProfile($ary) {
global $HTTP_COOKIE_VARS;

// ( ... snip ... )

/**********************************
* This sql query is using data from an untrusted source ( $ary ) *
**********************************/

$this->db->query("SELECT author_id
FROM psl_author
WHERE author_id = '".$ary['author_id']."'");

/**********************************
* This condition is not relevant in that context, it is the current *
* author_id (from $this->auth) that should eventually be compared *
**********************************/

if ($this->db->next_record()) {
if ($ary['password'] == "") {
$q = "UPDATE psl_author
SET author_name = '$ary[author_name]',
author_realname = '$ary[author_realname]',
url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
author_options = '$serial_opts'
WHERE author_id = '$ary[author_id]'";
// use $this->auth->auth['uid'] instead of untrusted $ary
} else {
$q = "UPDATE psl_author
SET author_name = '$ary[author_name]',
author_realname = '$ary[author_realname]',
url = '$ary[url]',
email = '$ary[email]',
quote = '$ary[quote]',
password = MD5('$ary[author_name]:$ary[password]'),
author_options = '$serial_opts'
WHERE author_id = '$ary[author_id]'";

/******************************/
// use $this->auth->auth['uid'] and $this->auth->auth['uname']
// instead of untrusted $ary
/******************************/
}
}
// ( ... snip ... )
}
?>

A malicious registered user can forge a http request that will overwrite preferences of other author(s) (including author real name, email address, URL, and password). A malicious developer can easily code an automated attack with the help of the self-registration capacity offered by phpSlash and build CMS-based zombie network. In fact any registered user with AuthorSaveProfile perm can overwrite other account's preferences.

Vulnerable site's recognition may vary depending on configuration and version of the package, the ability to match them will depend principally on version identification, this should be subject for a second bulletin uncovering the more generic HTML fingerprinting problem found in the common footer templates.

The point to focus on to identify if your version is vulnerable or not are the default perms assigned to a self-registered user (AuthorProfileSave, id 50).

Note:
Some upgrades (7 to 8) seem not to have this perm set, and therefore are not vulnerable. Some versions with configuration value 'authmode' set to 'log' are less vulnerable to manual or automated attacks.