Sensitive Information Disclosure in Text Rider

Summary

Vulnerability
Sensitive Information Disclosure in Text Rider
Discovered
2006.01.23
Last Update
0 n/a
ID
EV0046
CVE
CVE-2006-0439 CVE-2006-0440
Risk Level
high
Type
Sensitive Information Disclosure
Status
Unpatched
Vendor
n/a
Vulnerable Software
Text Rider (http://robot.ir/blog/mollasadra/textrider/)
Version
2.4
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Sensitive Information Disclosure found in Text Rider (http://robot.ir/blog/mollasadra/textrider/) script.

Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.

Cookie-based authentication is threatened.

To authenticate as administrator cookies need to contain the folowing:

username=[admin user]password=[md5 hash]

Administrator has an ability to edit "config.php" file and upload arbitrary files.

System access is possible.

PoC/Exploit

URL Example:

http://host/textrider/data/userlist.txt

Solution.

Solution for "Sensitive Information Disclosure in Text Rider" is not available. Check vendor's website for updates.