what you don't know can hurt you

Tastydir Folder Creation / Cookie Forgery / Chmod

Tastydir Folder Creation / Cookie Forgery / Chmod
Posted Oct 17, 2010
Authored by R

Tastydir suffers from file listing, folder creation, cookie forgery and arbitrary chmod vulnerabilities. Version 1216 is affected.

tags | exploit, arbitrary, vulnerability
MD5 | bf5ee6ffeb883f1d531d1e7a772947d3

Tastydir Folder Creation / Cookie Forgery / Chmod

Change Mirror Download
# Exploit Title: Tastydir <= 1216 folder creation vuln
# Date: Oct 17 2010
# Author: R
# Software Link: http://codecanyon.net/item/tastydir-an-ajax-file-manager-and-dir-listing/117167
# Version: 1216
# Tested on: Ubuntu 10.10
# Information:

Tastydir is a cross-platform PHP file management system
which allows you to not only replace your traditional FTP
client but also allow your users to view directories in
a much more aesthetically pleasing way.


# Vulnerability (Folder Creation):

Tastydir has the option to remotely create folders on your
server, but it doesn't check if the user is logged in or
not so an attacker can easily create folders from the
server and access.

# Exploitation:

http://localhost/_tastydir/do.php?mkdir=/var/www/test


# Vulnerability (File Listing):

Tastydir version 1216 and below present a file listing
vulnerability, an attacker can list all the files from
a folder, and can see the permissions for that file and
it's size.

# Exploitation:

http://localhost/_tastydir/do.php?d=/var/www/


# Vulnerability (Cookie Forgery):

When a user logs, a cookie named tastydir_auth is created,
the data section contains the twice hashed sha1 password
of the administrator.

# Exploitation:

An attacker given certain conditions ( by disclosing the
hashed password from _tastydir/settings.php ) can forge
a cookie to imitate an authentic log in, without having
to crack the password, by hashing the hashed password
using the sha1 algorithm and inserting it into the cookie.

# Cookie:

Name: tastydir_auth
Content: [2x hashed password sha1]


# Vulnerability (chmod):

Tastydir has the option to remotely chmod files from your
server, but it doesn't check if the user is logged in or
not so an attacker can easily chmod the files from the
server.

# Exploitation:

http://localhost/_tastydir/do.php?chmod=/var/www/index.php&to=000

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    11 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close