Posted on Wednesday, 23rd September 2009 by Michael

PHPizabi: Possible vulnerability in information disclosure and database integrity

Vendor: Notified. I notified the vendor of this issue over three months ago and have not heard back from them regarding this threat. According to their website there has been no patches or core releases released since the ones I have listed below.

Version: PHPizabi 0.848b C1 HFP1 (Alicia)

Hot fixes: 848 Core HotFix Pack 3 0848bC1_HFP3.zip and below

Product Info:

“More than a simple script, dating script, or even just a matchmaker; PHPizabi is a feature rich social networking platform that integrates everything you need to jumpstart your community, dating site, or social networking portal right out of the box. PHPizabi is one of the most reliable, safe, and solid platforms on the market, offering your users features they could only dream of.”

Vulnerability:

In the default configuration and installation of this script the “system” dir is left open allowing indexing. When I discovered that the system dir was open I was able to download the configuration file that contained sensitive information about the site such as the database connection information including username and password.

To exploit

1)      Google: “Powered by PHPizabi”

2)      http://sitename.com/system/

3)      Download file open in editor.

Temp solutions:

1)      Add a .htacess to the system dir that says

a.       Options –Indexes

b.      Note this will not stop the attacker from using wget and http://sitename.com/system/config.inc.php from retrieving the file.

2)      Make sure that the database can only be accessed local.

a.       The host I had permission to test this on had the database open to remote connections.

Vendor should have the file die if trying to access it directly like they do if you try to access a file in the admin directory directly.

Tested on: This has been tested against my site www.xxxxxxxx.com I have done some edits to the code to protect my site and contacted the host about the database settings. Site address has been “X” out to protect it from people trying the attack against it.

Vulnerability Classification: Possible vulnerability in information disclosure and database integrity.

Thanks

Michael LaSalvia

www.digitaloffensive.com

Posted in Security Advisories | Comments (0)

Leave a Reply

*