lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu May 18 10:16:53 2006
From: diwelf at gmail.com (Matt Gibson)
Subject: [Info Disclosure] Diesel PHP Job Site Latest
	Version

Subject: [Info Disclosure] Diesel PHP Job Site Latest Version

Severity: Pretty Bad
Title: Diesel PHP Job Site Latest Version Information Disclosure
Home Page: http://www.dieselscripts.com/
Product Page: http://www.dieselscripts.com/diesel-job-site.html
Date: May 17, 2006


Synopsis:
=========
When an unsuspecting user installs this software on their
webserver, all information is emailed back to the original
programmers of this software. This information is sent
from install.php, which includes the database host,
database name, username, and password used to connect.


Background:
===========
This script allows job seekers to post their resumes
and search job postings for free and employers pay
a fee to post jobs and search the resumes online.
Free posting and searching is also possible.


Information:
============
I run a VOIP Jobs site tailored to the Asterisk Community.
As I do not have much money or investors I couldn't afford
some swanky ass Job Board. I found this one, which was
relatively cheap, but required register_globals. I bought it
anyway (mistake #1). So, I thought I would be nice, and edit
their software to remove this requirement. While I was looking
through the code I found this little gem in the install file.

Details:
========
In install.php, line 31, there is a call to a mail function
that emails support@...selscripts.com with your username,
email, database credentials, hosts and passwords. Due to their
licensing agreement I'm not actually allowed to post the offending
line of code from the file.

It's worth mentioning that they also tried to hide this from
unsuspecting users by tabbing it across the screen a number of
times so it was hidden if scrolling without wordwrap on. Sneaky bastards.

Fix/Workaround:
===============
1. Don't use this software
2. Use it, but first comment/delete that line from install.php
3. Disable the ability to send mail from PHP/Server
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060518/bfd86146/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ