[webapps / 0day] - Tastydir <= 1.2 (1216) Multiple Vulner
Posted on 17 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Tastydir <= 1.2 (1216) Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Tastydir <= 1.2 (1216) Multiple Vulnerabilities in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=============================================== Tastydir <= 1.2 (1216) Multiple Vulnerabilities =============================================== # Software Link: http://codecanyon.net/item/tastydir-an-ajax-file-manager-and-dir-listing/117167 # Version: 1216 # Tested on: Ubuntu 10.10 # Information: Tastydir is a cross-platform PHP file management system which allows you to not only replace your traditional FTP client but also allow your users to view directories in a much more aesthetically pleasing way. # Vulnerability (Folder Creation): Tastydir has the option to remotely create folders on your server, but it doesn't check if the user is logged in or not so an attacker can easily create folders from the server and access. # Exploitation: http://localhost/_tastydir/do.php?mkdir=/var/www/test # Vulnerability (File Listing): Tastydir version 1216 and below present a file listing vulnerability, an attacker can list all the files from a folder, and can see the permissions for that file and it's size. # Exploitation: http://localhost/_tastydir/do.php?d=/var/www/ # Vulnerability (Cookie Forgery): When a user logs, a cookie named tastydir_auth is created, the data section contains the twice hashed sha1 password of the administrator. # Exploitation: An attacker given certain conditions ( by disclosing the hashed password from _tastydir/settings.php ) can forge a cookie to imitate an authentic log in, without having to crack the password, by hashing the hashed password using the sha1 algorithm and inserting it into the cookie. # Cookie: Name: tastydir_auth Content: [2x hashed password sha1] # Vulnerability (chmod): Tastydir has the option to remotely chmod files from your server, but it doesn't check if the user is logged in or not so an attacker can easily chmod the files from the server. # Exploitation: http://localhost/_tastydir/do.php?chmod=/var/www/index.php&to=000 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-17]</pre></body></html>
