|
ZH2003-12SA (security advisory): PHP-Gästebuch Ver. 1.60 Beta Published: 23/07/2003 Released: 23/07/2003 Name: PHP-Gästebuch (http://www.php-gaestebuch.de) Affected System(s): All versions (?) Severity: Medium/High Platform(s): Windows and Unix Issue: Information disclosure enables attackers to take administrative control Author: Trash-80 - dpangalos@linuxmail.org Description ************ Zone-h Security Team has discovered a serious security flaw in PHP- Gästebuch Ver. 1.60 Beta and possibly in prior versions. PHP-Gästebuch is a guestbook system that except a few bugs has functions like flooding and webfilter protections ... ;) Details ******** 1.guestbookdat contains admin's saved settings for PHP-Gästebuch. Is not protected and an attacker can retrieve serious information about the guestbook. ex: www.example.com/guestbook/guestbookdat 2.pwd contains the admin's password which is encrypted by MD5 algorithm. ex1: www.example.com/guestbook/pwd ex2:md5 encrypted password: ee21d5f27a8401788147f6f6184ddb11 md5 unencrypted password: roland An attacker using a md5 cracker like Cain & Abel (www.oxid.it), can crack the hash and use the decrypted password in order to login as PHP- Gästebuch's administrator. ex: www.example.com/guestbook/admin.php Solution ********* Protect these two files: guestbookdat & pwd. The vendor has been contacted. Trash-80 - www.zone-h.org operator http://www.zone-h.org