| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <501E2890.4000708@sinfocol.org>
Date: Sun, 05 Aug 2012 03:02:24 -0500
From: Daniel Correa <admin@...focol.org>
To: bugtraq@...urityfocus.com
Subject: Dir2web3 Mutiple Vulnerabilities
Title:
======
Dir2web3 Multiple Vulnerabilities
Date:
=====
05/08/2012
Author:
=======
Daniel Correa (http://www.sinfocol.org/)
Vulnerable software:
====================
Dir2web v3.0 (http://www.dir2web.it/)
CVE:
====
CVE-2012-4069
CVE-2012-4070
Details:
========
There are two vulnerabilities identified on Dir2web v3.0:
Information disclosure (CVE-2012-4069):
Database folder is public and it is not protected via .htaccess. An attacker
can download the entire database and look for hidden pages on the website.
SQL Injection (CVE-2012-4070):
Preg_match function is not enough to protect GET/POST parameters. An
attacker
can easily make a SQL Injection over the application.
Exploit:
========
Information disclosure:
http://site/_dir2web/system/db/website.db
SQL Injection:
http://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -
Patch:
======
Information disclosure:
Create .htaccess file on _dir2web folder with the following content:
order deny, follow
deny from all
SQL Injection:
Fix the regular expression in dispatcher.php file located on
_dir2web/system/src folder.
Replace:
'/[a-zA-Z0-9]{10}/'
With:
'/^[a-zA-Z0-9]{10}$/'
Timeline:
=========
13/07/2012: Vendor contacted
25/07/2012: CERT contacted
27/07/2012: CVE assigned
05/08/2012: Vulnerability published on Bugtraq
--
Regards,
Daniel Correa
Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)
Powered by blists - more mailing lists