? Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure Vendor: C97net Product web page: http://www.c97.net Affected version: 1.5.6 Summary: Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility. Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd' cookie storing user password SHA1 hashes. This may allow a remote MitM attacker to more easily gain access to password information. Tested on: Apache/2.4.7 (Win32) PHP/5.5.6 MySQL 5.6.14 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5179 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php Dork #1: intitle:powered by c97.net Dork #2: intitle:powered by qEngine Dork #3: intitle:powered by Kemana.c97.net Dork #4: intitle:powered by Cart2.c97.net 07.03.2014 --- GET /kemana/admin/rev_report.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/kemana/admin/link.php Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997 Connection: keep-alive