paFAQ backup.php Database Disclosure Privilege Escalation

2005-06-20T06:16:27
ID OSVDB:17566
Type osvdb
Reporter James Bercegay()
Modified 2005-06-20T06:16:27

Description

Vulnerability Description

paFaq contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker directly requests the backup.php script which does not require authentication. Using this script, they can download the entire paFaq database containing usernames and password hashes for all users. Once an attacker has the password hash for the administrative user, they can use it to authenticate against the system without decrypting it by setting their cookie to: Cookie: pafaq_user=USERNAMEHERE; pafaq_pass=PASSWORDHASH

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

paFaq contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker directly requests the backup.php script which does not require authentication. Using this script, they can download the entire paFaq database containing usernames and password hashes for all users. Once an attacker has the password hash for the administrative user, they can use it to authenticate against the system without decrypting it by setting their cookie to: Cookie: pafaq_user=USERNAMEHERE; pafaq_pass=PASSWORDHASH

Manual Testing Notes

http://[victim]/to/pafaq/admin/backup.php

References:

Vendor URL: http://www.phparena.net/pafaq.php Security Tracker: 1014248 Related OSVDB ID: 17563 Related OSVDB ID: 17565 Related OSVDB ID: 17567 Related OSVDB ID: 17564 Other Advisory URL: http://www.gulftech.org/?node=research&article_id=00083-06202005 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-06/0155.html CVE-2005-2013