Multiple Vulnerabilities in paFileDB 3.1

Type securityvulns
Reporter Securityvulns
Modified 2004-12-08T00:00:00



Multiple Vulnerabilities in paFileDB 3.1

Author: y3dips Date: November, 26th 2004 Location: Indonesia, Jakarta Web:

Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

paFileDB 3.1 ( PHP ARENA ) Written by Todd ( ) web :

Vulnerabilities: ~~~~~~~~~~~~~~~~

  1. Possible to see Admin Hash Password if using sessions method

If the site using sessions to handle the authentication in the site, Attacker could access the directory "sessions" and see the sessions in the same time when the admin log in to manage the site (which is include admin hash password)

----- snip from manual page -----

In order to reduce compatibility problems, paFileDB 3.0 Final can use either sessions or cookies. Cookies are recommended and enabled by default, because there's less compatibility issues and unlike sessions, cookies don't require any data to be stored on the server.

... To switch between sessions and cookies, open up pafiledb.php and look for the text:

$authmethod = "cookies"; OR : $authmethod = "sessions"; ...

Before you make the switch to sessions, make a directory called "sessions" in your paFileDB folder (same folder as pafiledb.php) and CHMOD the directory 777.

----- snip ------


Scenario :

  • admin (dudul) log in to manage the site at http://URL/pafiledb/pafiledb.php?action=admin ,then the session is recorded in sessions directory

  • attacker access the directory directly and see the "sessions" (in a same time)

Exploit: http://URL/pafiledb/sessions/[sessionfile]

then access the listing sessions file example : 'sess_12c9d926184e836451a15ed837bb875d'

which is contain

user|s:5:"dudul";pass|s:32:"810f9f3fbad17446a22ed2e516a12c36"; ip|s:32:"f528764d624db129b32c21fbca0cb8d6";

---- info that attacker get ----

user : dudul pass : 810f9f3fbad17446a22ed2e516a12c36 <-- MD5

  1. Full path disclosure

A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker.

read my artikel about path disclosure with Indonesian language at



Fatal error: Call to undefined function: adlocbar() in /var/www/html/pafiledb/includes/admin/admins.php on line 13


Fatal error: Call to undefined function: adlocbar() in /var/www/html/pafiledb/includes/admin/category.php on line 232


Warning: main(./includes/team/login.php): failed to open stream: No such file or directory in /var/www/html/pafiledb/includes/team.php on line 17

Warning: main(): Failed opening './includes/team/login.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/pafiledb/includes/team.php on line 17

FIX it :

For User and do not know how to fix the script , change php.ini file setting then turn on log_errors , and turn off display_error

  1. Possible to Have No Admin Account

All admin have same power, so every admin could delete another admin until there is no admin left , if all admin acount deleted, so all admin could not log in to manage the site

Shoutz: ~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff ~ , ~ #e-c-h-o & #aikmel @DALNET

Contact: ~~~~~~~~

y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id Homepage:

-------------------------------- [ EOF ] ---------------------------------