COMMAND

	Greymatter remote login/pass exposure

SYSTEMS AFFECTED

	Greymatter 1.21c and earlier

PROBLEM

	In jericho \'security curmudgeon\' advisory [http://attrition.org] :
	

	--snipp--
	

	The big sign of GM being present  is  /cgi-bin/gm.cgi  ..  that  is  the
	greymatter login screen and odds are GM  is  being  run  as  root.  Just
	getting the password will let you post to the  blogger,  erase  entries,
	upload files and more. However, there are a lot of CGIs  (listed  below)
	associated with the package, many  could  be  vulnerable  to  the  older
	attacks.
	

	Just search for a file called \"gmrightclick\" in google and download  a
	file called \"gmrightclick*.reg\" where the stars  represent  a  number.
	open it and there you have it: Username and  Password  for  everyone  to
	use.
	

	--snapp--
	

	see refs :
	 

	http://foshdawg.net/forums/viewtopic.php?p=3D773#773

	http://www.metafilter.com/comments.mefi/15039

	http://www.dangerousmonkey.com/dangblog/dangarch/00000051.htm

	http://www.cirt.net/nikto/

	http://www.movabletype.org/

	http://foshdawg.net/forums/index.php

	

SOLUTION

	If the administrator uses the \"Add  Bookmarklets\"  feature  to  add  a
	link/photo, it will add a new \"gmrightclick*\" file  unless  they  have
	set the \"clear\" function in their configuration. After adding a  link,
	they need to hit the \"Clear And Exit\" button  at  the  bottom  of  the
	page. This will remove all \"gmrightclick*reg\" files.
	

	Sites that customize their  look/HTML  will  likely  not  have  an  open
	/archive/ dir. Sites that use \"Master Archive\" option will not have  a
	browsable /archive/ directory. This will make it difficult to  find  the
	file.