← Advisories

Kemana Directory 1.5.6 kemana_admin_passwd Cookie User Password Hash Disclosure

Low
Advisory ID
ZSL-2014-5179
Release Date
25 March 2014
Vendor
C97net - http://www.c97.net
Affected Version
1.5.6
CVE
N/A
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Experience the ultimate directory script solution with Kemana. Create your own Yahoo or Dmoz easily with Kemana. Unique Kemana's features including: CMS engine based on our qEngine, multiple directories support, user friendly administration control panel, easy to use custom fields, unsurpassed flexibility.

Description

Kemana contains a flaw that is due to the 'kemana_admin_passwd' cookie storing user password SHA1 hashes. This may allow a remote MitM attacker to more easily gain access to password information.

Proof of Concept
kemana_cookiehash.txtTXT
Disclosure Timeline
07.03.2014Vulnerability discovered.
10.03.2014Vendor contacted.
11.03.2014Vendor responds asking more details.
11.03.2014Sent details to the vendor.
12.03.2014Working with the vendor.
13.03.2014Vendor working on a new version.
21.03.2014Asked vendor for status update.
21.03.2014Vendor promises patch release in April.
25.03.2014Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/125876
[2]http://www.exploit-db.com/exploits/32506
[3]http://cxsecurity.com/issue/WLB-2014030198
[4]http://www.securityfocus.com/bid/66445
[5]http://www.c97.net/news/security-issues-with-qengine-family.php
[6]http://osvdb.org/show/osvdb/105046
[7]https://secunia.com/advisories/57561/
Changelog
25.03.2014Initial release
26.03.2014Added reference [1], [2] and [3]
27.03.2014Added reference [4] and [5]
31.03.2014Added reference [6]
09.04.2014Added reference [7]