Recent Information Disclosure vulnerabilities
Here is short summary of recent Information Disclosure vulnerabilities discovered by eVuln team. Full list with details is available on the eVuln Security Advisories page.
Arbitrary File Disclosure Vulnerability in Quirex.
Description.
Vulnerable Script: convert.cgi
Variable $quiz_head $quiz_foot $template are not properly sanitized. This can be used to read arbitrary files.
System access is possible.
Exploit.
File Disclosure Example
Url: http://host/cgi-bin/quirex/convert.cgi
Path to quiz_head.txt: [arbitrary file]
Path to quiz_foot.txt: [arbitrary file]
Output file: [output file]
Solution
Solution is not available.
Other details >>Sensitive Information Disclosure in Text Rider.
Description.
Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.
Cookie-based authentication is threatened.
To authenticate as administrator cookies need to contain the folowing:
username=[admin user]password=[md5 hash]
Administrator has an ability to edit "config.php" file and upload arbitrary files.
System access is possible.
Exploit.
URL Example:
http://host/textrider/data/userlist.txt
Solution
Solution is not available.
Other details >>Weblog Sensitive Information Disclosure in Note-A-Day.
Description.
Directory archive is not protected by htaccess in default installiation. This can be used to retrieve registered user's information including encrypted passwords.
Exploit.
Admin's encrypted password:
http://host/noteday/archive/.phpass-admin
Solution
Solution is not available.
Other details >>Directory Traversal and Data Disclosure in RCBlog.
Description.
1. Directories data config are not protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.
2. Directory traversal is possible.
Vulnerable script: index.php
Variable $_GET[post] isn't properly sanitized. This can be used to open arbitrary files with txt extention. Administrator's login and password is threatened.
Administrator has an ability to upload arbitrary files.
System access is possible.
Exploit.
Directory traversal example:
http://host/rcblog/index.php?post=../config/password
Solution
Solution is not available.
Other details >>Sensitive Information Disclosure in Flog.
Description.
Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.
Exploit.
Example:
http://host/flog/data/users.0.dat
Solution
Solution is not available.
Other details >>