SIPS (PHP)

2008.03.26
Credit: subj
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Product : SIPS Version : v0.2.2 WebSite : http://www.squishdot.org Problem : Viewing users account Description: ------------ You could easily look throught any user's account without any permissions. Each of them is in dir names after first letter of his login. For example foo will have url like this one: /sipssys/users/f/foo/user So user's info file could be saw - it gaves u md5-hash of password, that you can try to crack by JtR or other any soft E.g: http://localhost/sips/sipssys/users/t/test/user Password::47bce5c74f589f4867dbd57e9ca9f808 //?????? ??????????&# 1085;?? ?????????? MD5. Email::test@localhost Theme::default ========== login.php: ========== [...] if ($action == "login") { if ($username) { if (file_exists($config["sipssys"] ."/users/$username[0]/ $username/user")) { $cryptpass = md5($password); if (getUserValue($username, "Password") == $cryptpass) { $cryptuser = "$username:$cryptpass"; [...] Exploit: -------- http://[somehost]/[sips_directioy]/sipssys/users/[first_letter_of_UserID ]/ [UserID]/user Link: ===== www.dwcgr0up.com irc.dwcgr0up.biz:6667 Fixs: ===== U can finf all our fix on our homepage [www.dwcgroup.com] Thanks: ======= GipsHack crew : DHGroup etc etc


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top