PHP-Gastebuch Disclosing System Information

A web application using PHP-Gastebuch has been reported to be prone to information disclosure. The PHP-Gastebunch fails to control the access of a vulnerable application to sensitive files in the server. Using this attack, an attacker can gain access to sensitive files like administrative MD5 password hashes. Through this vulnerability, a remote user can gain access to and view the ‘guestbookdat’ file. This file contains the administrator’s settings for the application. A remote user can also access the ‘pwd’ password file. This file contains the administrator’s MD5-hashed password. Many sites allow an attacker to access the ‘guestbookdat’ file to view the administrator’s settings for the application and can access the password file.

Some web application uses a gaestebuch for user-provided information. This information is used as feedback. Some of these web applications use PHP-Gastebuch 1.60 or lower versions of it. The obsolete versions of this PHP will provide the attacker with access to sensitive data.

Example

The attacker can check if the application is facing this issue by executing the following URL in the web browser.

http://www.example.beaglesecurity.com/guestbook/guestbookdat

If the response from the server is positive. Then, the attacker will use the below URL to gain access to passwords in the application.

http://www.example.beaglesecurity.com/guestbook/pwd

Impact

A remote user can view information about the application’s configuration. A remote user can also access and view the encrypted administrator password. Using this vulnerability, an attack can:-

  • leak authentication information.
  • reveal the system information of the server.
  • access the user information of each of the application’s users.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • It is best-recommended to protect the following two files:-
    • guestbookdat
    • pwd
  • Try to restrict access to guestbookdat & pwd files.
  • If an application uses a third-party application for using the gaestebuch, then make sure that the application is not a vulnerable version of it.

Latest Articles