Kemana Directory 1.5.6 - kemana_admin_passwd Cookie User Password Hash Disclosure

EDB-ID:

32506

CVE:


EDB Verified:

Author:

LiquidWorm

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2014-03-25

Vulnerable App: 

Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure


Vendor: C97net
Product web page: http://www.c97.net
Affected version: 1.5.6

Summary: Experience the ultimate directory script solution
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
Unique Kemana's features including: CMS engine based on our
qEngine, multiple directories support, user friendly administration
control panel, easy to use custom fields, unsurpassed flexibility.

Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd'
cookie storing user password SHA1 hashes. This may allow a remote MitM
attacker to more easily gain access to password information.


Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5179
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php


Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net



07.03.2014

---


GET /kemana/admin/rev_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/kemana/admin/link.php
Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997
Connection: keep-alive
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services