Dir2web3 Mutiple Vulnerabilities



Title:
======
Dir2web3 Multiple Vulnerabilities

Date:
=====
05/08/2012

Author:
=======
Daniel Correa (http://www.sinfocol.org/)

Vulnerable software:
====================
Dir2web v3.0 (http://www.dir2web.it/)

CVE:
====
CVE-2012-4069
CVE-2012-4070

Details:
========
There are two vulnerabilities identified on Dir2web v3.0:

Information disclosure (CVE-2012-4069):
Database folder is public and it is not protected via .htaccess. An attacker
can download the entire database and look for hidden pages on the website.

SQL Injection (CVE-2012-4070):
Preg_match function is not enough to protect GET/POST parameters. An
attacker
can easily make a SQL Injection over the application.

Exploit:
========
Information disclosure:
http://site/_dir2web/system/db/website.db

SQL Injection:
http://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -

Patch:
======
Information disclosure:
Create .htaccess file on _dir2web folder with the following content:
order deny, follow
deny from all

SQL Injection:
Fix the regular expression in dispatcher.php file located on
_dir2web/system/src folder.

Replace:
'/[a-zA-Z0-9]{10}/'
With:
'/^[a-zA-Z0-9]{10}$/'

Timeline:
=========
13/07/2012: Vendor contacted
25/07/2012: CERT contacted
27/07/2012: CVE assigned
05/08/2012: Vulnerability published on Bugtraq

--
Regards,
Daniel Correa

Attachment: signature.asc
Description: OpenPGP digital signature



Relevant Pages

  • CMME Multiple Information disclosure vulnerabilities
    ... # Bug: Information Disclosure ... Quote from vendor: CMME means "Content Management Made Easy". ... There are multiple vulnerabilities in CMME, which can be exploited by malicious people to disclose potentially sensitive information. ...
    (Bugtraq)
  • Re: Pen Test Success Factors
    ... In my opinion there is an important factor except vulnerabilities - ... For a client to evaluate success of a pen test what ... highlights the quality of tester. ...
    (Pen-Test)
  • AdaptCMS 2.0.1 Multiple security vulnerabilities
    ... AdaptCMS 2.0.1 is prone to multiple security vulnerabilities ... Authentication bypass / Information Disclosure ... Vulnerabilities found and advisory written by Stefan Schurtz. ...
    (Bugtraq)