Disclosure of sensitive information on the Chaos Constructions 2011 website
Not so long ago in St. Petersburg was Chaos Constructions 2011 - the festival of computer art. The festival has an official website . On this site, I discovered the full path disclosure , as well as the disclosure of some information about the structure of the database. It was found a couple of days before the festival. But, since I was a speaker, I did not publish information about this before. And I do it just now.
It all started with the fact that in the "Seminars" section I wanted to see who registered for my report. By the way, if anyone remembers, this information was available only to registered users. In any case, according to the creators of the site. But, in fact, data could be obtained simply by clicking on the link. Another thing is that the link was not shown to unregistered users.
Having seen such a link design, my hands were itching to play with it a little:
')
And such a picture appeared before me:
As you can see, information about the site installation path (physical location on the server) is disclosed, as well as some information about the database structure.
At first I thought that this is exactly what I was looking for. But, looking in the address bar of the browser, I found that I was forwarded to the page:
A search in Google for part of the error text:
In Google I managed to find a few more sites that have the same problem. But, when I entered them again today, the error was no longer issued. Probably already updated.
It is noteworthy that in the PartyMeister changelog there is no information about closing this vulnerability. Therefore, there is no data which versions of this CMS are subject to the described problem.
Festival representatives were notified of the problem. But the changes on their site has not yet happened.
It all started with the fact that in the "Seminars" section I wanted to see who registered for my report. By the way, if anyone remembers, this information was available only to registered users. In any case, according to the creators of the site. But, in fact, data could be obtained simply by clicking on the link. Another thing is that the link was not shown to unregistered users.
Having seen such a link design, my hands were itching to play with it a little:
party11.cc.org.ru/seminar_info.php?id='53')
And such a picture appeared before me:
As you can see, information about the site installation path (physical location on the server) is disclosed, as well as some information about the database structure.
At first I thought that this is exactly what I was looking for. But, looking in the address bar of the browser, I found that I was forwarded to the page:
party11.cc.org.ru/_shared/p_error.php As it turned out, the transition to this page caused this behavior. Apparently, SQL-injection or something else could not be done.A search in Google for part of the error text:
"plFetchMailTemplate()" leads us to the originator of this vulnerability (if you can call it that). It turns out to be CMS PartyMeister . Information on the use of this CMS is confirmed by the festival website itself:- At the end of the page is the text:
powered by partymeister engine - And in the source code of the page there are lines:
In Google I managed to find a few more sites that have the same problem. But, when I entered them again today, the error was no longer issued. Probably already updated.
It is noteworthy that in the PartyMeister changelog there is no information about closing this vulnerability. Therefore, there is no data which versions of this CMS are subject to the described problem.
Festival representatives were notified of the problem. But the changes on their site has not yet happened.
Source: https://habr.com/ru/post/128384/
All Articles