register.php in The Address Book 1.04e allows remote attackers to bypass the "Allow User Self-Registration" setting and create arbitrary users by setting the mode parameter to "confirm".
CVE-2006-4580 exposes a critical vulnerability in The Address Book 1.04e, allowing remote attackers to bypass user registration restrictions and create unauthorized user accounts. This grants attackers unfettered access to the application, potentially leading to data breaches and system compromise.
Step 1: Target Identification: Identify a vulnerable instance of The Address Book 1.04e.
Step 2: Request Construction: Craft a malicious HTTP POST request to register.php.
Step 3: Parameter Manipulation: Include the following parameters in the POST request: mode=confirm, along with the desired username, password, and other registration fields (e.g., email).
Step 4: Request Submission: Send the crafted request to the target server.
Step 5: Account Creation: The server, due to the vulnerability, processes the request and creates a new user account, bypassing the self-registration restrictions.
Step 6: Access Granted: The attacker can now log in to the application using the newly created credentials.
The vulnerability stems from a flawed implementation in register.php. The application fails to properly validate the mode parameter when self-registration is disabled. Specifically, the code incorrectly trusts the mode=confirm value, bypassing the intended security check. This allows an attacker to directly trigger the user creation process, effectively circumventing the administrator's configuration and creating new user accounts with potentially elevated privileges. The root cause is a missing or inadequate check on the mode parameter's value against the application's configuration regarding self-registration. This leads to an authentication bypass vulnerability.