Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

waraxe-2007-SA052.txt

🗓️ 20 Sep 2007 00:00:00Reported by Janek Vind aka waraxeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

dBlog CMS Open Source database retrieval vulnerability, 20% exploitation rate, IIS directory restrictions, admin password sha hashes exposure

Show more
Code
`  
[waraxe-2007-SA#052] - dBlog CMS Open Source database retrieval  
====================================================================  
  
Author: Janek Vind "waraxe"  
Date: 19. September 2007  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-52.html  
  
  
Target software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
http://www.dblog.it/sito/default.asp  
  
DBlog CMS is a open source Content Management System for IIS/ASP platform.  
Some days ago dBlog 2.0 hit the goal of the 110.000 platform downloads,   
over 100.000 of them regarding the lastest version.  
  
GoogleDork: inurl:"articolo.asp" "powered by dblog"  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
DBlog stores all the data in JET database file with default name "dblog.mdb".  
This database file is accessible from web as:  
  
http://www.example.com/mdb-database/dblog.mdb  
  
By fetching database anyone can obtain admin password sha hashes and then try to  
crack them and gain admin privileges.  
There are some mitigating factors though:  
  
1. IIS webserver can refuse ".mdb" file download  
2. database file or directory can be renamed to something else  
  
Quick look @ real world sites shows, that ~ 20% of them are exploitable.  
Considering large number of DBlog-based websites, this is serious problem IMHO.  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
IIS directory restrictions, renaming directory and database file.  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to pabloski, ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb  
and all other people who know me!  
Greetings to Raido Kerna.  
Tervitusi Torufoorumi rahvale!  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
[email protected]  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
  
Shameless advertise:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
User Manual Database - http://user-manuals.waraxe.us/  
Old Books Online - http://www.oldreadings.com/  
  
---------------------------------- [ EOF ] ------------------------------------  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
20 Sep 2007 00:00Current
7.4High risk
Vulners AI Score7.4
dblog cmsdatabase retrievaliisexploitationadmin privilegesvulnerabilitysha hashessecurity.
36
.json
Report