logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Viewing users account in SIPS
Date: 2003-03-19

Author : subj - r2subj3ct@dwclan.org

Product : SIPS
Version : v0.2.2
WebSite : http://www.squishdot.org
Problem : Viewing users account

Description:
------------

You could easily look throught any user's account without any
permissions. Each of them is in dir names after first letter of his
login. For example foo will have url like this
one: /sipssys/users/f/foo/user
So user's info file could be saw - it gaves u md5-hash of password, that
you can try to crack by JtR or other any soft

E.g:

http://localhost/sips/sipssys/users/t/test/user

Password::47bce5c74f589f4867dbd57e9ca9f808 //??????
?????????????
?????????? MD5.
Email::test@localhost
Theme::default

==========
login.php:
==========
[...]

if ($action == "login") {
if ($username) {
if (file_exists($config["sipssys"] ."/users/$username[0]/
$username/user")) {
$cryptpass = md5($password);
if (getUserValue($username, "Password") == $cryptpass) {
$cryptuser = "$username:$cryptpass";
[...]


Exploit:
--------

http://[somehost]/[sips_directioy]/sipssys/users/[first_letter_of_UserID]/
[UserID]/user


Link:
=====
www.dwcgr0up.com
irc.dwcgr0up.biz:6667

Fixs:
=====

U can finf all our fix on our homepage [www.dwcgroup.com]

Thanks:
=======
GipsHack crew : DHGroup etc etc



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy