DynPage <= v1.0 Multiple Remote Vulnerabilities

ID 1337DAY-ID-14014
Type zdt
Reporter Abysssec
Modified 2010-09-07T00:00:00


Exploit for php platform in category web applications

DynPage <= v1.0 Multiple Remote Vulnerabilities

- Title  : DynPage Multiple Remote Vulnerabilities.
- Affected Version : <= v1.0
- Vendor  Site   : http://www.dynpage.net
- Discovery : Abysssec.com
- Description :
DynPage allows you to edit Websites online and make pieces of contents editable with a comfortable editor.
DynPage implements the CKeditor - one of the best Internet editors.
The integration of content into the HTML pages can be done with Ajax/Javascript or PHP - so you can also handle cross domain sites.
DynPage is written in PHP and does not require MySQL database. It's easy to install and to configurate.
- Vulnerabilities:
1)Local File Disclosure:
    /content/dynpage_load.php #[line(20-28)]:
    $filename = $_GET["file"];
    if (!is_dir ($filename) && file_exists ($filename)) {
        $bytes = filesize ($filename);
        $fh = fopen($filename, 'r');
        print (fread ($fh, $bytes));
        fclose ($fh);
2)Admin hash Disclosure:
    The Admin password hash format: MD5('admin:'+$password)
    then password's salt is "admin:".
    2-a)Default password is admin,that stored in config_global.inc.php(line 41-42 )
            // Default login admin
            "default_login_hash" => "d2abaa37a7c3db1137d385e1d8c15fd2",
    +POC:for see this hash:
    2-b)the hash  password  stored as SESSION in /conf/init.inc.php.
            // This file is generated automatically!
            // No not modify manually!
            $_SESSION['DYNPAGE_CONF_VAR_ALL']['admin_email']="[email protected]";
    +POC:for see this hash:

#  0day.today [2018-01-03]  #