Dir2web3 3.0 SQL Injection / Information Disclosure

`Title:  
======  
Dir2web3 Multiple Vulnerabilities  
  
Date:  
=====  
05/08/2012  
  
Author:  
=======  
Daniel Correa (http://www.sinfocol.org/)  
  
Vulnerable software:  
====================  
Dir2web v3.0 (http://www.dir2web.it/)  
  
CVE:  
====  
CVE-2012-4069  
CVE-2012-4070  
  
Details:  
========  
There are two vulnerabilities identified on Dir2web v3.0:  
  
Information disclosure (CVE-2012-4069):  
Database folder is public and it is not protected via .htaccess. An attacker  
can download the entire database and look for hidden pages on the website.  
  
SQL Injection (CVE-2012-4070):  
Preg_match function is not enough to protect GET/POST parameters. An  
attacker  
can easily make a SQL Injection over the application.  
  
Exploit:  
========  
Information disclosure:  
http://site/_dir2web/system/db/website.db  
  
SQL Injection:  
http://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -  
  
Patch:  
======  
Information disclosure:  
Create .htaccess file on _dir2web folder with the following content:  
order deny, follow  
deny from all  
  
SQL Injection:  
Fix the regular expression in dispatcher.php file located on  
_dir2web/system/src folder.  
  
Replace:  
'/[a-zA-Z0-9]{10}/'  
With:  
'/^[a-zA-Z0-9]{10}$/'  
  
Timeline:  
=========  
13/07/2012: Vendor contacted  
25/07/2012: CERT contacted  
27/07/2012: CVE assigned  
05/08/2012: Vulnerability published on Bugtraq  
  
--   
Regards,  
Daniel Correa  
  
`