Please view the original advisory/exploit here. The South Korean Community/Website/Content Management System UTW suffers from various vulnerabilities. Local File Inclusion Script: utw_lib/get_file.php Parameters: file, rfile Example: utw_lib/get_file.php?rfile=<local path>&file=<local file name> The script get_file.php is vulnerable to local file inclusion attacks. Arbitrary files can be viewed by combining the values for the rfile and file parameters. […]

Author:

Please view the original advisory/exploit here.

The South Korean Community/Website/Content Management System UTW suffers from various vulnerabilities.

Local File Inclusion
Script: utw_lib/get_file.php
Parameters: file, rfile
Example: utw_lib/get_file.php?rfile=<local path>&file=<local file name>

The script get_file.php is vulnerable to local file inclusion attacks. Arbitrary
files can be viewed by combining the values for the rfile and file parameters.

Source Code Disclosure
With the help of the LFI vulnerability the source code of every local script can be
viewed.
Example: utw_lib/get_file.php?rfile=get_file.php
(Yes, using the rfile variable is correct here, although its purpose is to
store a path.)

This knowledge can also be used to view local configuration files.
Example: utw_lib/get_file.php?rfile=dbinfo.inc.php
The file dbinfo.inc.php contents the MySQL data, such as the host, database,
user and password in plain text.
With the help of this information it is possible to access the MySQL server.

Cross-Site Request Forgery
Every input field I saw did not filter out HTML or JavaScript code.
I did not check if there are also XSS flaws, but there is a high chance
that you are able to permanently inject code, e.g. in the message board threads.

Low Security Levels
Since the user data is stored in plain text (including email addresses and
passwords), the identities of the registered userscan be stolen easily by
accessing the MySQL database.

Another aspect of this low security level is that many users use similar
passwords for different services, e.g. often only one password for communities
and email service logins is used.
In this case all the user passwords and their email addresses can be dumped
from the database and be used for trying to login to their email accounts.

The admin panel can be accessed by adding /utw_admin to the URL.

The product contains also a feature which makes it possible to download
files, their download locations are stored in the database. An attack scenario
would be to change the file downloads, so the users of the affected
website download malicious content.

External Website Rendering
(Un)Fortunately this product is not affected by a RFI vulnerability, or at
least I was not able to detect one. But rendering external websites in the
context of the thrusted website is possible.
Example: tw_lib/get_file.php?rfile=http://www,google.com

This is not a real vulnerability, but can be used to abuse the thrust of the
visitors in the affected website.

Comments on this entry (no comments)

Did you like this post? You can share your opinion with us! Simply click here.

Add Your Comment

Powered by sweet Captcha


× three = 18