Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure
Title: Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure
Advisory ID: ZSL-2014-5179
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (2/5)
Release Date: 25.03.2014
PHP/5.5.6
MySQL 5.6.14
[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
[2] http://www.exploit-db.com/exploits/32506
[3] http://cxsecurity.com/issue/WLB-2014030198
[4] http://www.securityfocus.com/bid/66445
[5] http://www.c97.net/news/security-issues-with-qengine-family.php
[6] http://osvdb.org/show/osvdb/105046
[7] https://secunia.com/advisories/57561/
[26.03.2014] - Added reference [1], [2] and [3]
[27.03.2014] - Added reference [4] and [5]
[31.03.2014] - Added reference [6]
[09.04.2014] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2014-5179
Type: Local/Remote
Impact: Exposure of Sensitive Information
Risk: (2/5)
Release Date: 25.03.2014
Summary
Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.Description
Kemana contains a flaw that is due to the 'kemana_admin_passwd' cookie storing user password SHA1 hashes. This may allow a remote MitM attacker to more easily gain access to password information.Vendor
C97net - http://www.c97.netAffected Version
1.5.6Tested On
Apache/2.4.7 (Win32)PHP/5.5.6
MySQL 5.6.14
Vendor Status
[07.03.2014] Vulnerability discovered.[10.03.2014] Vendor contacted.
[11.03.2014] Vendor responds asking more details.
[11.03.2014] Sent details to the vendor.
[12.03.2014] Working with the vendor.
[13.03.2014] Vendor working on a new version.
[21.03.2014] Asked vendor for status update.
[21.03.2014] Vendor promises patch release in April.
[25.03.2014] Public security advisory released.
PoC
kemana_cookiehash.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://packetstormsecurity.com/files/125876[2] http://www.exploit-db.com/exploits/32506
[3] http://cxsecurity.com/issue/WLB-2014030198
[4] http://www.securityfocus.com/bid/66445
[5] http://www.c97.net/news/security-issues-with-qengine-family.php
[6] http://osvdb.org/show/osvdb/105046
[7] https://secunia.com/advisories/57561/
Changelog
[25.03.2014] - Initial release[26.03.2014] - Added reference [1], [2] and [3]
[27.03.2014] - Added reference [4] and [5]
[31.03.2014] - Added reference [6]
[09.04.2014] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk