Dir2web3 Mutiple Vulnerabilities
--------------enigB270444F88FCB3059F531DBE
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Title:
=3D=3D=3D=3D=3D=3D
Dir2web3 Multiple Vulnerabilities
Date:
=3D=3D=3D=3D=3D
05/08/2012
Author:
=3D=3D=3D=3D=3D=3D=3D
Daniel Correa (http://www.sinfocol.org/)
Vulnerable software:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Dir2web v3.0 (http://www.dir2web.it/)
CVE:
=3D=3D=3D=3D
CVE-2012-4069
CVE-2012-4070
Details:
=3D=3D=3D=3D=3D=3D=3D=3D
There are two vulnerabilities identified on Dir2web v3.0:
Information disclosure (CVE-2012-4069):
Database folder is public and it is not protected via .htaccess. An attac=
ker
can download the entire database and look for hidden pages on the website=
=2E
SQL Injection (CVE-2012-4070):
Preg_match function is not enough to protect GET/POST parameters. An
attacker
can easily make a SQL Injection over the application.
Exploit:
=3D=3D=3D=3D=3D=3D=3D=3D
Information disclosure:
http://site/_dir2web/system/db/website.db
SQL Injection:
http://site/index.php?wpid=3Dhomepage&oid=3D6a303a0aaa' OR id > 0-- -
Patch:
=3D=3D=3D=3D=3D=3D
Information disclosure:
Create .htaccess file on _dir2web folder with the following content:
order deny, follow
deny from all
SQL Injection:
Fix the regular expression in dispatcher.php file located on
_dir2web/system/src folder.
Replace:
'/[a-zA-Z0-9]{10}/'
With:
'/^[a-zA-Z0-9]{10}$/'
Timeline:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
13/07/2012: Vendor contacted
25/07/2012: CERT contacted
27/07/2012: CVE assigned
05/08/2012: Vulnerability published on Bugtraq
--=20
Regards,
Daniel Correa
--------------enigB270444F88FCB3059F531DBE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
iQIcBAEBAgAGBQJQHiiXAAoJEJ0xe1XXhZovao0P/1ZQ6nSeAXptqN7z1t+Uq6EU
OxdTyfazg64XZZ5TZ6nSLkVxhJMP+i2b8QO6jPsxISGu6AbX7Tl/KpY0nacJZmOR
hWtsLzso5Or8gjabzHif8/Nb1wo6MMIoY3MkLuxqdqP/tkN6AVzWIFb0edE64isA
WCslDLn64uyVWCunAibSW1wOZpMVyFJ5GPfJ5k3Cx/6fEn/1+t0Qd5M3wUxbk6Ep
qPA5f7YzPO65+OYi9rhkEX4FC5BDbPZnrTtHoziYaxjrvTcKhvNZCQ0OdEFBPnmk
WlchL6W1PEP/ygRAxj/XvzeyZAJ1stRYeluo9AesRXsAgLuPuHMcF3GgQGxMq66x
4pnITY+DartlzLeORMKs0IFCdAXR75wxIrIGFscNIltrw2SEhcIZ3kERpBx2Kh6I
tFoq9FYPeweqTaXa9CmuREROUzK40MFnJYcm7yoBshXQMrBAoGztDeQtq3cPB1Yh
0sgFz3WkSperts52wC4eL2cGipo9DskylhlOvkbH2SUi1WZ7Q2RztSYr3ZFb/ROt
8mw9cRAVd+zE++xNAC9EbYJG84sE8MZq2a+wHi557nd25+xLi+obAs7ZPVaKRV9j
abRZ0lF5X1W/vrtG6NVytArzR9EkE2T1LajdT12J0/NayHm6dxu9yHkoUvW9XD/7
RKo8ZhWx/AqL8lvXr5KK
=Wmiz
-----END PGP SIGNATURE-----
--------------enigB270444F88FCB3059F531DBE--