Title:

Dir2web3 Multiple Vulnerabilities

Date:

05/08/2012

Author:

Daniel Correa (http://www.sinfocol.org/)

Vulnerable software:

Dir2web v3.0 (http://www.dir2web.it/)

CVE:

CVE-2012-4069
CVE-2012-4070

Details:

There are two vulnerabilities identified on Dir2web v3.0:

Information disclosure (CVE-2012-4069):
Database folder is public and it is not protected via .htaccess. An attacker
can download the entire database and look for hidden pages on the website.

SQL Injection (CVE-2012-4070):
Preg_match function is not enough to protect GET/POST parameters. An
attacker
can easily make a SQL Injection over the application.

Exploit:

Information disclosure:
http://site/_dir2web/system/db/website.db

SQL Injection:
http://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -

Patch:

Information disclosure:
Create .htaccess file on _dir2web folder with the following content:
order deny, follow
deny from all

SQL Injection:
Fix the regular expression in dispatcher.php file located on
_dir2web/system/src folder.

Replace:
'/[a-zA-Z0-9]{10}/'
With:
'/^[a-zA-Z0-9]{10}$/'

Timeline:

13/07/2012: Vendor contacted
25/07/2012: CERT contacted
27/07/2012: CVE assigned
05/08/2012: Vulnerability published on Bugtraq

– Regards, Daniel Correa