Sensitive Information Disclosure in Text Rider
Summary
- Vulnerability
- Sensitive Information Disclosure in Text Rider
- Discovered
- 2006.01.23
- Last Update
- 0 n/a
- ID
- EV0046
- CVE
- CVE-2006-0439 CVE-2006-0440
- Risk Level
- high
- Type
- Sensitive Information Disclosure
- Status
- Unpatched
- Vendor
- n/a
- Vulnerable Software
- Text Rider (http://robot.ir/blog/mollasadra/textrider/)
- Version
- 2.4
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Sensitive Information Disclosure found in Text Rider (http://robot.ir/blog/mollasadra/textrider/) script.
Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.
Cookie-based authentication is threatened.
To authenticate as administrator cookies need to contain the folowing:
username=[admin user]password=[md5 hash]
Administrator has an ability to edit "config.php" file and upload arbitrary files.
System access is possible.
PoC/Exploit
URL Example:
http://host/textrider/data/userlist.txt
Solution.
Solution for "Sensitive Information Disclosure in Text Rider" is not available. Check vendor's website for updates.