header-logo
Suggest Exploit
vendor:
Kemana Directory
by:
Gjoko 'LiquidWorm' Krstic
7,5
CVSS
HIGH
Cookie User Password Hash Disclosure
311
CWE
Product Name: Kemana Directory
Affected Version From: 1.5.6
Affected Version To: 1.5.6
Patch Exists: NO
Related CWE: N/A
CPE: a:c97net:kemana_directory:1.5.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
2014

Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure

Kemana contains a flaw that is due to the 'kemana_admin_passwd' cookie storing user password SHA1 hashes. This may allow a remote MitM attacker to more easily gain access to password information.

Mitigation:

Ensure that the 'kemana_admin_passwd' cookie is not storing user password SHA1 hashes.
Source

Exploit-DB raw data:


Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure


Vendor: C97net
Product web page: http://www.c97.net
Affected version: 1.5.6

Summary: Experience the ultimate directory script solution
with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
Unique Kemana's features including: CMS engine based on our
qEngine, multiple directories support, user friendly administration
control panel, easy to use custom fields, unsurpassed flexibility.

Desc: Kemana contains a flaw that is due to the 'kemana_admin_passwd'
cookie storing user password SHA1 hashes. This may allow a remote MitM
attacker to more easily gain access to password information.


Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5179
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5179.php


Dork #1: intitle:powered by c97.net
Dork #2: intitle:powered by qEngine
Dork #3: intitle:powered by Kemana.c97.net
Dork #4: intitle:powered by Cart2.c97.net



07.03.2014

---


GET /kemana/admin/rev_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/kemana/admin/link.php
Cookie: qvc_value=4e520fb7e28ff76d71800f4329633bc12040101c; kemana_user_id=guest%2Acbb77d83775796bc42f94a97f9905a0d; kemana_admin_id=admin; kemana_admin_passwd=d033e22ae348aeb5660fc2140aec35850c4da997
Connection: keep-alive

Navigation

Suggest Exploit

Services By CQR