-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathadv09-y3dips-2004.txt
152 lines (98 loc) · 4.68 KB
/
adv09-y3dips-2004.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_09$2004
---------------------------------------------------------------------------
Multiple Vulnerabilities in paFileDB 3.1
---------------------------------------------------------------------------
Author: y3dips
Date: November, 26th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv09-y3dips-2004.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
paFileDB 3.1 ( PHP ARENA ) Written by Todd ( [email protected] )
web : http://www.phparena.net
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
1. Possible to see Admin Hash Password if using sessions method
If the site using sessions to handle the authentication in the site, Attacker
could access the directory "sessions" and see the sessions in the same
time when the admin log in to manage the site (which is include admin hash password)
----- snip from manual page -----
In order to reduce compatibility problems, paFileDB 3.0 Final can use either
sessions or cookies. Cookies are recommended and enabled by default, because
there's less compatibility issues and unlike sessions, cookies don't require
any data to be stored on the server.
...
To switch between sessions and cookies, open up pafiledb.php and look for
the text:
$authmethod = "cookies"; OR :
$authmethod = "sessions";
...
Before you make the switch to sessions, make a directory called "sessions"
in your paFileDB folder (same folder as pafiledb.php) and CHMOD the directory 777.
----- snip ------
POC
Scenario :
* admin (dudul) log in to manage the site at
http://URL/pafiledb/pafiledb.php?action=admin ,then the session is recorded in
sessions directory
+ attacker access the directory directly and see the "sessions" (in a same time)
Exploit: http://URL/pafiledb/sessions/[sessionfile]
then access the listing sessions file
example : 'sess_12c9d926184e836451a15ed837bb875d'
which is contain
user|s:5:"dudul";pass|s:32:"810f9f3fbad17446a22ed2e516a12c36";
ip|s:32:"f528764d624db129b32c21fbca0cb8d6";
---- info that attacker get ----
user : dudul
pass : 810f9f3fbad17446a22ed2e516a12c36 <-- MD5
----------------------------------------------------------------------------
2. Full path disclosure
A remote user can access the file directly to cause the system to display
an error message that indicates the installation path. The resulting error
message will disclose potentially sensitive installation path information
to the remote attacker.
read my artikel about path disclosure with Indonesian language at
http://ezine.echo.or.id/ezine8/ez-r08-y3dips-pathdisc.txt
POC :
http://URL/pafiledb/includes/admin/admins.php
Fatal error: Call to undefined function: adlocbar() in
/var/www/html/pafiledb/includes/admin/admins.php on line 13
http://URL/pafiledb/includes/admin/category.php
Fatal error: Call to undefined function: adlocbar() in
/var/www/html/pafiledb/includes/admin/category.php on line 232
http://URL/pafiledb/includes/team.php
Warning: main(./includes/team/login.php): failed to open stream:
No such file or directory in /var/www/html/pafiledb/includes/team.php on line 17
Warning: main(): Failed opening './includes/team/login.php' for inclusion
(include_path='.:/usr/share/pear')
in /var/www/html/pafiledb/includes/team.php on line 17
- - - - - - - - - -
FIX it :
For User and do not know how to fix the script , change php.ini file setting
then turn on log_errors , and turn off display_error
----------------------------------------------------------------------------
3. Possible to Have No Admin Account
All admin have same power, so every admin could delete another admin until
there is no admin left , if all admin acount deleted, so all admin could not log
in to manage the site
----------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ #e-c-h-o & #aikmel @DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------