Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Greymatter Vendors:   Grey, Noah
Greymatter Weblog Software Discloses Administrator Account Passwords to Remote Users in Certain Configurations
SecurityTracker Alert ID:  1003648
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 25 2002
Impact:   Disclosure of authentication information, User access via network
Exploit Included:  Yes  
Version(s): 1.21c and earlier
Description:   A password disclosure vulnerability was reported in the Greylock weblog and journaling application. A remote user can obtain administrator usernames and passwords from the server.

It is reported that a remote user can look for files on the web server with the following naming format:

"gmrightclick*.reg", where the asterik '*' represents a series of numbers.

This file reportedly contains a valid administrator username and password under the fields "authorname" and "authorpassword", respectively.

It is reported that if an administrator uses the "Add Bookmarklets" feature to add a link or image, a "gmrightclick*" file will be created unless the administrator has set the "clear" function in their configuration. It is reported that the administrator can hit the "Clear And Exit" button at the bottom of the page after adding a link or image to remove all "gmrightclick*reg" files.

It is reported that these files are stored in the 'archive' directory. On some sites, including those that customize their HTML or sites that use the "Master Archive" option, the archive directory may not be remotely browsable.

Impact:   A remote user can view an administrator's username and password and can gain full administrative access to the weblog application.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Perl-based

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] Greymatter 1.21c and earlier - remote login/pass exposure

Software: Greymatter 1.21c and earlier
Vulnerability: Remote administrator login/password exposure
Vendor Status: Notified [0]

I originally saw this posted on Metafilter [1] and linked to a two line
description [2]. As with many other attacks, you can google for a specific
file and find vulnerable sites all over. I did a quick check and found 4
vulnerable out of the first 10 google reported back. Anyway, since I have
very limited experience with Greymatter (GM), and I have reported one
security bug to the author before, I typed up some more notes on the bug.
This will be fairly easy to catch using whisker/nikto if people use
default installs (which is common). At the time of this post, Nikto [3]
has been updated to look for the existance of Greymatter. The big sign of
GM being present is /cgi-bin/gm.cgi .. that is the greymatter login screen
and odds are GM is being run as root. Just getting the password will let
you post to the blogger, erase entries, upload files and more. However,
there are a lot of CGIs (listed below) associated with the package, many
could be vulnerable to the older attacks. 

In the past I notified the author of a bug related to the password being
stored in cleartext on the server, so that any local user could read it.
This was actually discovered looking at the access_log of apache. When
rebuilding the GM threads/pages, it will include the login name and
password in the HREF. A simple grep of "password" through access_logs, or
snooping through the GM install dirs will find the administrator login for
GM. This prompted me to look at the cause of the HREF, and lead me to note
that many of the GM files are mode 666 by default. The author acknowledged
the vulnerability and indicated he rarely (if ever) supports the package.
Many people are moving to Movable Type [4] which imports GM material and
is being actively maintained. Movable Type apparently worries about
security more as well. For those still using GM, there is user based
support/upgrades/patches available [5]. The Greymatter home page can be
found at 

About Greysoft from their page: 

weblogging and journal software.  With fully-integrated comments,
searching, file uploading and image handling, completely customisable
output through dozens of templates and variables, multiple author support,
and many other features, Greymatter remains the weblog/journal program of
choice for tens of thousands of people around the world. 


>From the original post about the vulnerability [2]: 

How to hack greymatter driven sites

Just search for a file called "gmrightclick" in google and download a file
called "gmrightclick*.reg" where the stars represent a number. open it and
there you have it: Username and Password for everyone to use.


For those doing pen-testing or looking for the vuln, here are a few signs
of greymatter being used: 

* button "powered by greymatter", links to:
* text that says "greymatter" 
* default blog string: Posted by <username> @ <time> [Link] [No Comments]
                     : Posted by <username> @ <time> [Link] [2 Comments]
* /cgi-bin/gm.cgi is present and offers login/pass


Here are the CGI's in greymatter install (w/ default perms):

-rw-rw-rw-   1 root     fs            304 Dec  8 04:17 gm-authors.cgi
-rw-rw-rw-   1 root     fs             23 Sep 21 23:00 gm-banlist.cgi
-rwxr-xr-x   1 root     fs          15571 Jan 12  2001 gm-comments.cgi*
-rw-rw-rw-   1 root     fs            409 Sep 22 01:50 gm-config.cgi
-rw-rw-rw-   1 root     fs             18 Dec  8 04:17 gm-counter.cgi
-rw-rw-rw-   1 root     fs          23873 Dec  8 04:17 gm-cplog.cgi
-rw-rw-rw-   1 root     fs            750 Dec  8 04:17 gm-entrylist.cgi
-rwxr-xr-x   1 root     fs          10211 Jan 12  2001 gm-karma.cgi*
-rw-rw-rw-   1 root     fs         157160 Feb 22  2001 gm-library.cgi
-rw-rw-rw-   1 root     fs          20353 Sep 22 03:15 gm-templates.cgi
-rwxr-xr-x   1 root     fs           9162 Jan 12  2001 gm-upload.cgi*
-rwxr-xr-x   1 root     fs         388772 Feb 22  2001 gm.cgi*


The path to "gmrightclick*" can vary widely. This is user defined but
often easy to find just by visiting the GM based blog/site. The default
directory is (I believe) /archive/. Others you may often see is
/archive/logs/ or /photo/archives/ depending on the GM usage. 

What prompts this vulnerability: 

If the administrator uses the "Add Bookmarklets" feature to add a
link/photo, it will add a new "gmrightclick*" file unless they have set
the "clear" function in their configuration. After adding a link, they
need to hit the "Clear And Exit" button at the bottom of the page. This
will remove all "gmrightclick*reg" files. 

Sites that customize their look/HTML will likely not have an open
/archive/ dir. Sites that use "Master Archive" option will not have a
browsable /archive/ directory. This will make it difficult to find the

'gmrightclick' filename examples:

I assume the number is pseudo random, or based off PID or something else
as an obscurity scheme. This WILL help for sites that customize or use
'master archive' feature, as it will not let the user enter the /archive/
dir and clearly see the .reg files. You could brute force find this
possibly but the gain is minimal. Further, the file can be deleted without
hurting functionality so it may not even be there despite brute forcing. 

GM is a unix package, but the 'bookmarklet' option is an Internet Explorer

Contents of gmrightclick*reg (word wrapped for this post): 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Post To &Greymatter]


Notice the two fields: "authorname" and "authorpassword" above. With this
information, you can log in w/ full administrative rights to a GM site. 




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC