Title:
======
Dir2web3 Multiple Vulnerabilities
Date:
=====
05/08/2012
Author:
=======
Daniel Correa (http://www.sinfocol.org/)
Vulnerable software:
====================
Dir2web v3.0 (http://www.dir2web.it/)
CVE:
====
CVE-2012-4069
CVE-2012-4070
Details:
========
There are two vulnerabilities identified on Dir2web v3.0:
Information disclosure (CVE-2012-4069):
Database folder is public and it is not protected via .htaccess. An attacker
can download the entire database and look for hidden pages on the website.
SQL Injection (CVE-2012-4070):
Preg_match function is not enough to protect GET/POST parameters. An
attacker
can easily make a SQL Injection over the application.
Exploit:
========
Information disclosure:
http://site/_dir2web/system/db/website.db
SQL Injection:
http://site/index.php?wpid=homepage&oid=6a303a0aaa' OR id > 0-- -
Patch:
======
Information disclosure:
Create .htaccess file on _dir2web folder with the following content:
order deny, follow
deny from all
SQL Injection:
Fix the regular expression in dispatcher.php file located on
_dir2web/system/src folder.
Replace:
'/[a-zA-Z0-9]{10}/'
With:
'/^[a-zA-Z0-9]{10}$/'
Timeline:
=========
13/07/2012: Vendor contacted
25/07/2012: CERT contacted
27/07/2012: CVE assigned
05/08/2012: Vulnerability published on Bugtraq
--
Regards,
Daniel Correa
Attachment:
signature.asc
Description: OpenPGP digital signature