# Exploit Title: South Korean UTW CMS Multiple Vulnerabilities # Date: 18.11.2010 # Author: Valentin # Category: webapps/0day # Version: # Tested on: # CVE : # Code : [:::::::::::::::::::::::::::::::::::::: 0x1 ::::::::::::::::::::::::::::::::::::::] >> General Information Advisory/Exploit Title = South Korean UTW CMS Multiple Vulnerabilities Author = Valentin Hoebel Contact = valentin@xenuser.org [:::::::::::::::::::::::::::::::::::::: 0x2 ::::::::::::::::::::::::::::::::::::::] >> Product information Name = UTW CMS This product is very often used by various companies from South Korea. Googling for inurl:"utw_lib" shows some results, so does "utw_admin". The product contains a message board feature, downloads management system and several other community features. [:::::::::::::::::::::::::::::::::::::: 0x3 ::::::::::::::::::::::::::::::::::::::] >> Local File Inclusion Script: utw_lib/get_file.php Parameters: file, rfile Example: utw_lib/get_file.php?rfile=&file= The script get_file.php is vulnerable to local file inclusion attacks. Arbitrary files can be viewed by combining the values for the rfile and file parameters. >> Source Code Disclosure With the help of the LFI vulnerability the source code of every local script can be viewed. Example: utw_lib/get_file.php?rfile=get_file.php (Yes, using the rfile variable is correct here, although its purpose is to store a path.) This knowledge can also be used to view local configuration files. Example: utw_lib/get_file.php?rfile=dbinfo.inc.php The file dbinfo.inc.php contents the MySQL data, such as the host, database, user and password in plain text. With the help of this information it is possible to access the MySQL server. >> Cross-Site Request Forgery Every input field I saw did not filter out HTML or JavaScript code. I did not check if there are also XSS flaws, but there is a high chance that you are able to permanently inject code, e.g. in the message board threads. >> Low Security Levels Since the user data is stored in plain text (including email addresses and passwords), the identities of the registered userscan be stolen easily by accessing the MySQL database. Another aspect of this low security level is that many users use similar passwords for different services, e.g. often only one password for communities and email service logins is used. In this case all the user passwords and their email addresses can be dumped from the database and be used for trying to login to their email accounts. The admin panel can be accessed by adding /utw_admin to the URL. The product contains also a feature which makes it possible to download files, their download locations are stored in the database. An attack scenario would be to change the file downloads, so the users of the affected website download malicious content. >> External Website Rendering (Un)Fortunately this product is not affected by a RFI vulnerability, or at least I was not able to detect one. But rendering external websites in the context of the thrusted website is possible. Example: tw_lib/get_file.php?rfile=http://www,google.com This is not a real vulnerability, but can be used to abuse the thrust of the visitors in the affected website. [:::::::::::::::::::::::::::::::::::::: 0x4 ::::::::::::::::::::::::::::::::::::::] >> Additional Information Advisory/Exploit Published = 18.11.2010 [:::::::::::::::::::::::::::::::::::::: 0x5 ::::::::::::::::::::::::::::::::::::::] >> Misc Greetz = cr4wl3r, JosS, Todd and Josh from packetstormsecurity.org, exploit-db.com [:::::::::::::::::::::::::::::::::::::: EOF ::::::::::::::::::::::::::::::::::::::]