lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <407D4691.1060809@mail.ru>
Date: Wed, 14 Apr 2004 16:11:29 +0200
From: moep <moep2mail@...l.ru>
To: bugtraq@...urityfocus.com
Subject: Serendipity Blog vuln


I found this while auditing serendipty blog. You need a blog account ( 
which isnt that big of deal just google all the sites that give out free 
blogs ) for this to work. After you get hte blog account you go into 
your admin panel where there will be config options. The mysql details 
are editable from this form. Since these details are what connects to 
the database they cant be stored in it. For this reason
they are stored in a config .php file.
They way this is done isthrough unfiltered fwrites() to the file so for 
example my "tableprefix" was tgo_ and the code in the config file looked 
liked:
CODEWHATEVER_THE_VAR_WAS='tgo_';
Soas we can see here we have some room for fun. MY poc on my 
friendsserver was to make my table prefix ( there cant be any spaces )
CODEtgo_';phpinfo();echo'hi
Which makes the file look like:
CODE
WHATEVER_THE_VAR_WAS='tgo';phpinfo();echo'hi';
As expected my blog got defaced with the servers phpinfo(). Other fun 
things would be like
CODE
tgo';system
Thefile this gets wrote to gets included on every page for YOUR blog 
sofor instace my blog is blogs.site.com/tgo then this file will 
beincluded in all those allowing me to put ?cmd= on all of them

vuln by moep , moep2mail[at]mail[dot]ru


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ