Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

waraxe-2007-SA052.txt

🗓️ 20 Sep 2007 00:00:00Reported by Janek Vind aka waraxeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

dBlog CMS Open Source database retrieval vulnerability, 20% exploitation rate, IIS directory restrictions, admin password sha hashes exposure

Code
`  
[waraxe-2007-SA#052] - dBlog CMS Open Source database retrieval  
====================================================================  
  
Author: Janek Vind "waraxe"  
Date: 19. September 2007  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-52.html  
  
  
Target software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
http://www.dblog.it/sito/default.asp  
  
DBlog CMS is a open source Content Management System for IIS/ASP platform.  
Some days ago dBlog 2.0 hit the goal of the 110.000 platform downloads,   
over 100.000 of them regarding the lastest version.  
  
GoogleDork: inurl:"articolo.asp" "powered by dblog"  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
DBlog stores all the data in JET database file with default name "dblog.mdb".  
This database file is accessible from web as:  
  
http://www.example.com/mdb-database/dblog.mdb  
  
By fetching database anyone can obtain admin password sha hashes and then try to  
crack them and gain admin privileges.  
There are some mitigating factors though:  
  
1. IIS webserver can refuse ".mdb" file download  
2. database file or directory can be renamed to something else  
  
Quick look @ real world sites shows, that ~ 20% of them are exploitable.  
Considering large number of DBlog-based websites, this is serious problem IMHO.  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
IIS directory restrictions, renaming directory and database file.  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to pabloski, ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb  
and all other people who know me!  
Greetings to Raido Kerna.  
Tervitusi Torufoorumi rahvale!  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
  
Shameless advertise:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
User Manual Database - http://user-manuals.waraxe.us/  
Old Books Online - http://www.oldreadings.com/  
  
---------------------------------- [ EOF ] ------------------------------------  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Sep 2007 00:00Current
7.4High risk
Vulners AI Score7.4
dblog cmsdatabase retrievaliisexploitationadmin privilegesvulnerabilitysha hashessecurity.
38