Sensitive Information Disclosure in Text Rider
Summary
- Vulnerability
- Sensitive Information Disclosure in Text Rider
- Discovered
- 2006.01.23
- Last Update
- 0 n/a
- ID
- EV0046
- CVE
- CVE-2006-0439 CVE-2006-0440
- Risk Level
- high
- Type
- Sensitive Information Disclosure
- Status
- Unpatched
- Vendor
- n/a
- Vulnerable Software
- Text Rider (http://robot.ir/blog/mollasadra/textrider/)
- Version
- 2.4
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Sensitive Information Disclosure found in Text Rider (http://robot.ir/blog/mollasadra/textrider/) script.
Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.
Cookie-based authentication is threatened.
To authenticate as administrator cookies need to contain the folowing:
username=[admin user]password=[md5 hash]
Administrator has an ability to edit "config.php" file and upload arbitrary files.
System access is possible.
PoC/Exploit
URL Example:
http://host/textrider/data/userlist.txt
Solution.
Solution for "Sensitive Information Disclosure in Text Rider" is not available. Check vendor's website for updates.
Order Source Code Analysis
Check your site or web application by source code review of a website made by eVuln team.The task will be done by experts in website security.