53 lines
No EOL
1.7 KiB
Text
53 lines
No EOL
1.7 KiB
Text
|
|
Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure
|
|
|
|
|
|
Vendor: C97net
|
|
Product web page: http://www.c97.net
|
|
Affected version: 1.5.6
|
|
|
|
Summary: Experience the ultimate directory script solution
|
|
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
|
|
Unique Kemana's features including: CMS engine based on our
|
|
qEngine, multiple directories support, user friendly administration
|
|
control panel, easy to use custom fields, unsurpassed flexibility.
|
|
|
|
Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd'
|
|
cookie storing user password SHA1 hashes. This may allow a remote MitM
|
|
attacker to more easily gain access to password information.
|
|
|
|
|
|
Tested on: Apache/2.4.7 (Win32)
|
|
PHP/5.5.6
|
|
MySQL 5.6.14
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2014-5179
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php
|
|
|
|
|
|
Dork #1: intitle:powered by c97.net
|
|
Dork #2: intitle:powered by qEngine
|
|
Dork #3: intitle:powered by Kemana.c97.net
|
|
Dork #4: intitle:powered by Cart2.c97.net
|
|
|
|
|
|
|
|
07.03.2014
|
|
|
|
---
|
|
|
|
|
|
GET /kemana/admin/rev_report.php HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://localhost/kemana/admin/link.php
|
|
Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997
|
|
Connection: keep-alive |