Recent Information Disclosure vulnerabilities

Here is short summary of recent Information Disclosure vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.

Arbitrary File Disclosure Vulnerability in Quirex.

Description.

Vulnerable Script: convert.cgi

Variable $quiz_head $quiz_foot $template are not properly sanitized. This can be used to read arbitrary files.

System access is possible.

Exploit.

File Disclosure Example

Url: http://host/cgi-bin/quirex/convert.cgi

Path to quiz_head.txt: [arbitrary file]

Path to quiz_foot.txt: [arbitrary file]

Output file: [output file]

Solution

Solution is not available.

Other details >>

Sensitive Information Disclosure in Text Rider.

Description.

Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.

Cookie-based authentication is threatened.

To authenticate as administrator cookies need to contain the folowing:

username=[admin user]password=[md5 hash]

Administrator has an ability to edit "config.php" file and upload arbitrary files.

System access is possible.

Exploit.

URL Example:

http://host/textrider/data/userlist.txt

Solution

Solution is not available.

Other details >>

Weblog Sensitive Information Disclosure in Note-A-Day.

Description.

Directory archive is not protected by htaccess in default installiation. This can be used to retrieve registered user's information including encrypted passwords.

Exploit.

Admin's encrypted password:

http://host/noteday/archive/.phpass-admin

Solution

Solution is not available.

Other details >>

Directory Traversal and Data Disclosure in RCBlog.

Description.

1. Directories data config are not protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.

2. Directory traversal is possible.

Vulnerable script: index.php

Variable $_GET[post] isn't properly sanitized. This can be used to open arbitrary files with txt extention. Administrator's login and password is threatened.

Administrator has an ability to upload arbitrary files.

System access is possible.

Exploit.

Directory traversal example:

http://host/rcblog/index.php?post=../config/password

Solution

Solution is not available.

Other details >>

Sensitive Information Disclosure in Flog.

Description.

Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.

Exploit.

Example:

http://host/flog/data/users.0.dat

Solution

Solution is not available.

Other details >>

Website Monitoring

Daily malware scanning. Allows to receive alerts about security problems in your website.
Details >>

Malicious redirects detected?

eVuln team will eliminate the reason, clean your website and monitor it.
Details >>

Website blacklisted?

eVuln team will clean your website, discover and fix security holes, remove from blacklists.
Details >>