← Advisories

Kemana Directory 1.5.6 Database Backup Disclosure Exploit

Medium
Advisory ID
ZSL-2014-5176
Release Date
25 March 2014
Vendor
C97net - http://www.c97.net
Affected Version
1.5.6
CVE
N/A
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.

Description

Kemana stores database backups using the Backup DB tool with a predictable file name inside the '/admin/backup' directory as '_Full Backup YYYYMMDD_1.sql' or '_Full Backup YYYYMMDD_1.gz', which can be exploited to disclose sensitive information by downloading the file. The '/admin/backup' is also vulnerable to directory listing by default.

Proof of Concept
kemana_dbd.phpTXT
Disclosure Timeline
07.03.2014Vulnerability discovered.
10.03.2014Vendor contacted.
11.03.2014Vendor responds asking more details.
11.03.2014Sent details to the vendor.
12.03.2014Working with the vendor.
13.03.2014Vendor working on a new version.
21.03.2014Asked vendor for status update.
21.03.2014Vendor promises patch release in April.
25.03.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2014-5172
[2]https://www.zeroscience.mk/#/advisories/ZSL-2014-5180
[3]http://packetstormsecurity.com/files/125873
[4]http://www.exploit-db.com/exploits/32509
[5]http://cxsecurity.com/issue/WLB-2014030199
[6]http://www.c97.net/news/security-issues-with-qengine-family.php
[7]http://osvdb.org/show/osvdb/105109
[8]https://secunia.com/advisories/57561/
Changelog
25.03.2014Initial release
26.03.2014Added reference [3], [4] and [5]
27.03.2014Added reference [6]
31.03.2014Added reference [7]
09.04.2014Added reference [8]