[waraxe-2007-SA#052] - dBlog CMS Open Source database retrieval
====================================================================
Author: Janek Vind "waraxe"
Date: 19. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-52.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.dblog.it/sito/default.asp
DBlog CMS is a open source Content Management System for IIS/ASP platform.
Some days ago dBlog 2.0 hit the goal of the 110.000 platform downloads,
over 100.000 of them regarding the lastest version.
GoogleDork: inurl:"articolo.asp" "powered by dblog"
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DBlog stores all the data in JET database file with default name "dblog.mdb".
This database file is accessible from web as:
http://www.example.com/mdb-database/dblog.mdb
By fetching database anyone can obtain admin password sha hashes and then try to
crack them and gain admin privileges.
There are some mitigating factors though:
1. IIS webserver can refuse ".mdb" file download
2. database file or directory can be renamed to something else
Quick look @ real world sites shows, that ~ 20% of them are exploitable.
Considering large number of DBlog-based websites, this is serious problem IMHO.
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IIS directory restrictions, renaming directory and database file.
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to pabloski, ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and all other people who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User Manual Database - http://user-manuals.waraxe.us/
Old Books Online - http://www.oldreadings.com/
---------------------------------- [ EOF ] ------------------------------------