Ticket #756 (closed bug: fixed)

Opened 2 years ago

Last modified 2 years ago

Path disclosures and so on..

Reported by: anonymous Owned by: omry
Priority: Normal Milestone:
Component: FireStats Version: 1.4
Severity: Normal Keywords:
Cc: Qwazar

Description

Path disclosures:

stats/integration/mediawiki/firestats-mediawiki.php stats/php/tabbed-pane.php stats/php/tools-menu.php stats/firestats-wordpress.php stats/php/ip2country.php stats/php/footer.php status.php stats/php/page-stats.php stats/login.php stats/php/page-add-admin.php stats/firestats-gregarius.php stats/lib/ip2c/benchmark.php stats/lib/ezsql/mysql/ez_sql_mysql.php

Also there is a way to get users/admins emails:

http://site/stats/php/page-users.php http://site/stats/php/window-edit-user.php?user_id=1

Here not logged in user can get dbname, dbhost, dbprefix:

http://site/stats/php/page-database.php http://site/stats/tools.php?file_id=system_test

It is not good for site security.

Attachments

Change History

Changed 2 years ago by omry

can you be more specific about what you call path disclosure?

for example, when I open http://site/firestats/integration/mediawiki/firestats-mediawiki.php I get no output

Changed 2 years ago by omry

  • cc Qwazar added

also, how can you get database information through : http://site/stats/tools.php?file_id=system_test

?

Changed 2 years ago by anonymous

Oh sorry, it's my mistake, there isn't any output in: integration/mediawiki/firestats-mediawiki.php

But, there is output in: http://test4.ru/stats/php/tabbed-pane.php http://test4.ru/stats/php/ip2country.php http://test4.ru/stats/login.php http://test4.ru/stats/php/page-add-admin.php http://test4.ru/stats/firestats-gregarius.php http://test4.ru/stats/lib/ip2c/benchmark.php http://test4.ru/stats/lib/ezsql/mysql/ez_sql_mysql.php

Changed 2 years ago by anonymous

Here: http://test4.ru/stats/tools.php?file_id=system_test

I got a error "Some of your tables are not using the InnoDB engine, which is required by FireStats. wierd things may happen (dbsfsfirestats_archive_countries ...", so i can get DB preffix, that can be useful for a hacker who found Blind SQL Injection.

Changed 2 years ago by anonymous

Sorry again, but there is output in http://site/firestats/integration/mediawiki/firestats-mediawiki.php, may be i have it, becourse i have not installet mediawiki and other CMS. I haven't seen any kind of documentation, or package for standalone version only, without plugins, so there is a disclosure, that works only on a standalone versions of a firestats.

There is a screenshot: http://www.x2b.ru/get/412 (Qwazar)

Changed 2 years ago by omry

all those problems are fixed in SVN now, if you can test it before I release it will be great.

Changed 2 years ago by omry

  • status changed from new to closed
  • resolution set to fixed

fixed in 1.5.10-RC4

Add/Change #756 (Path disclosures and so on..)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.