Kemana Directory 1.5.6 Database Backup Disclosure Exploit

Title: Kemana Directory 1.5.6 Database Backup Disclosure Exploit
Advisory ID: ZSL-2014-5176
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (3/5)
Release Date: 25.03.2014
Summary
Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.
Description
Kemana stores database backups using the Backup DB tool with a predictable file name inside the '/admin/backup' directory as '_Full Backup YYYYMMDD_1.sql' or '_Full Backup YYYYMMDD_1.gz', which can be exploited to disclose sensitive information by downloading the file. The '/admin/backup' is also vulnerable to directory listing by default.
Vendor
C97net - http://www.c97.net
Affected Version
1.5.6
Tested On
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
PoC
kemana_dbd.php
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5172.php
[2] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5180.php
[3] http://packetstormsecurity.com/files/125873
[4] http://www.exploit-db.com/exploits/32509
[5] http://cxsecurity.com/issue/WLB-2014030199
[6] http://www.c97.net/news/security-issues-with-qengine-family.php
[7] http://osvdb.org/show/osvdb/105109
[8] https://secunia.com/advisories/57561/
Changelog
[25.03.2014] - Initial release
[26.03.2014] - Added reference [3], [4] and [5]
[27.03.2014] - Added reference [6]
[31.03.2014] - Added reference [7]
[09.04.2014] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk