Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ############################################################################
- # Exploit Title : Web Wiz Forums 12.01 Database Backup Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 26/02/2019
- # Vendor Homepage : webwiz.net
- # Software Download Link : webwiz.net/web-wiz-forums/forum-downloads.htm
- # Software Information Link : webwiz.net/company-info/about.htm
- # Software Affected Version : 6.34 - 9.64 and 12.01 and other previous versions
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-200 [ Information Exposure ]
- CWE-530 [ Exposure of Backup File to an Unauthorized Control Sphere ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ############################################################################
- # Description about Software :
- ***************************
- Web Wiz Ltd. is a Green Hosting and Data Centre Services Provider offering a wide range
- of Eco-Friendly Data Centre Services, Green Web Hosting, Cloud and
- Dedicated Servers, Managed Servers and Domain Name Registration Services.
- Web Wiz provides services designed to help businesses and individuals
- communicate, measure, and support their operations worldwide.
- ############################################################################
- # Impact :
- ***********
- Web Wiz Forum has been reported prone to sensitive information disclosure vulnerability.
- An attacker may make a request for and download the underlying Access database file that is used by
- the Forum application. Sensitive information that is contained in the database and
- stored in plaintext format may be revealed to the attacker.
- Information collected in this way may be used to aid in further attacks against the system.
- It should be noted that all versions of Web Wiz Forums have been reported prone to this vulnerability.
- The remote web server contains an ASP-PHP application that is affected by an information disclosure vulnerability.
- The remote server is running Web Wiz Site Forum, a set of ASP-PHP scripts to manage online forums.
- This release comes with a 'wwforum.mdb' database, usually located under 'admin', that contains
- sensitive information, such as the user passwords and emails.
- An attacker may use this flaw to gain unauthorized access to the affected application.
- ############################################################################
- # Database Backup Disclosure Exploit :
- *********************************
- VULNERABLESITE/[DOMAIN-ADDRESS.gov]/[PATH]/Forumo/admin/database/wwForum-backup.mdb
- VULNERABLESITE/[DOMAIN-ADDRESS.gov]/[PATH]/Forumo/admin/database/wwForum.mdb
- VULNERABLESITE/[DOMAIN-ADDRESS.gov]/[PATH]/forum/admin/database/wwForum.mdb
- ############################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ############################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement