Multiple Vulnerabilities in paFileDB 3.1

2004-12-08T00:00:00
ID SECURITYVULNS:DOC:7298
Type securityvulns
Reporter Securityvulns
Modified 2004-12-08T00:00:00

Description

ECHO_ADV_09$2004


Multiple Vulnerabilities in paFileDB 3.1

Author: y3dips Date: November, 26th 2004 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv09-y3dips-2004.txt


Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

paFileDB 3.1 ( PHP ARENA ) Written by Todd ( todd@phparena.net ) web : http://www.phparena.net


Vulnerabilities: ~~~~~~~~~~~~~~~~

  1. Possible to see Admin Hash Password if using sessions method

If the site using sessions to handle the authentication in the site, Attacker could access the directory "sessions" and see the sessions in the same time when the admin log in to manage the site (which is include admin hash password)

----- snip from manual page -----

In order to reduce compatibility problems, paFileDB 3.0 Final can use either sessions or cookies. Cookies are recommended and enabled by default, because there's less compatibility issues and unlike sessions, cookies don't require any data to be stored on the server.

... To switch between sessions and cookies, open up pafiledb.php and look for the text:

$authmethod = "cookies"; OR : $authmethod = "sessions"; ...

Before you make the switch to sessions, make a directory called "sessions" in your paFileDB folder (same folder as pafiledb.php) and CHMOD the directory 777.

----- snip ------

POC

Scenario :

  • admin (dudul) log in to manage the site at http://URL/pafiledb/pafiledb.php?action=admin ,then the session is recorded in sessions directory

  • attacker access the directory directly and see the "sessions" (in a same time)

Exploit: http://URL/pafiledb/sessions/[sessionfile]

then access the listing sessions file example : 'sess_12c9d926184e836451a15ed837bb875d'

which is contain

user|s:5:"dudul";pass|s:32:"810f9f3fbad17446a22ed2e516a12c36"; ip|s:32:"f528764d624db129b32c21fbca0cb8d6";

---- info that attacker get ----

user : dudul pass : 810f9f3fbad17446a22ed2e516a12c36 <-- MD5


  1. Full path disclosure

A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker.

read my artikel about path disclosure with Indonesian language at

http://ezine.echo.or.id/ezine8/ez-r08-y3dips-pathdisc.txt

POC :

http://URL/pafiledb/includes/admin/admins.php

Fatal error: Call to undefined function: adlocbar() in /var/www/html/pafiledb/includes/admin/admins.php on line 13

http://URL/pafiledb/includes/admin/category.php

Fatal error: Call to undefined function: adlocbar() in /var/www/html/pafiledb/includes/admin/category.php on line 232

http://URL/pafiledb/includes/team.php

Warning: main(./includes/team/login.php): failed to open stream: No such file or directory in /var/www/html/pafiledb/includes/team.php on line 17

Warning: main(): Failed opening './includes/team/login.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/pafiledb/includes/team.php on line 17


FIX it :

For User and do not know how to fix the script , change php.ini file setting then turn on log_errors , and turn off display_error


  1. Possible to Have No Admin Account

All admin have same power, so every admin could delete another admin until there is no admin left , if all admin acount deleted, so all admin could not log in to manage the site


Shoutz: ~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o & #aikmel @DALNET


Contact: ~~~~~~~~

y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ---------------------------------