Getsimple CMS 2.01 < 2.02 - Administrative Credentials Disclosure

• Exploit Database
• 16 阅读

• 作者： Michael Brooks
  日期： 2010-11-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15605/

• Researcher: Michael Brooks
  Affecting: GetSimple CMS 2.01 and 2.02
  Fixed:2.03
  Vulnerability: Administrative Credentials Disclosure
  Vendor's Homepage: http://code.google.com/p/get-simple-cms
  
  download url for 2.01: http://www.box.net/get-simple/1/30435008/399754548
  download svn for 2.02(beta): svn checkout
  http://get-simple-cms.googlecode.com/svn/trunk/
  get-simple-cms-read-only
  
  GetSimple does not use a SQL Database. Instead it uses a system of
  .xml files located here: http://127.0.0.1/GetSimple_2.01/data. These
  files are used to maintain application state and organize the
  applications content. The administrators username and password hash
  can be obtained by navigating to the following xml file:
  http://127.0.0.1/GetSimple_2.01/data/other/user.xml
  Passwords are stored using sha1() and a salt is not used by default,
  although a user can configure the application to use one. It is
  trivial to break this hash using John The Ripper or Cain and Able .
  
  All failed login attempts are put into the following XML file, this
  information can greatly reduce the number of guesses that an attacker
  would have to make in order to break the sha1 hash.
  http://127.0.0.1/GetSimple_2.01/data/other/logs/failedlogins.log
  
  There are other interesting files such as a clear text API token can
  be obtained:
  http://127.0.0.1/GetSimple_2.01/data/other/authorization.xml
  
  The patch is simple, in the ./data/ directory add a .htaccess file
  with that contains "deny from all".