YetiShare 3.5.2 — 4.5.4 Multiple vulnerabilities

Mandatory unrelated stock photo

So previously I wrote about a few vulnerabilities that I found in YetiShare ( https://medium.com/@jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459) and during the process of testing the fixes that were made, I found a few more. These have been cleared to write about now, so here they are 😊.

SQL injection in multiple places v3.5.2–v4.5.4

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2019–20059

Github: https://github.com/jra89/CVE-2019-20059

The previous patch missed a few spots, which have been mitigated in the version 4.5.5 of YetiShare. So it’s pretty much the same thing, that someone logged in as an Administrator can perform an SQL injection, or someone can send a crafted link to an Administrator and have them click it, executing the injected SQL.

[00:19:10] [INFO] testing connection to the target URL
[00:19:10] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: sSortDir_0 (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause

Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)

Type: time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)
---
[00:19:10] [INFO] testing MySQL
[00:19:10] [INFO] confirming MySQL
[00:19:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[00:19:10] [INFO] fetching current user
[00:19:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:19:10] [INFO] retrieved: root@localhost
current user: 'root@localhost'

Reset password hash never expires v3.5.2 — v4.5.4

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20062

In my previous post about the password reset hash I wrote a script that would brute force the hash and reset the administrators password. This has since been fixed in version 4.5.5, but the hash never expires which still poses a small risk of someone getting their hands on an old hash and resetting the account password.

New user gets password in E-mail v3.5.2 — v4.5.4

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20061

When a new account is created a password is generated and then sent via E-mail to the user. In many cases this password will stay the same and not only stay inside of the users inbox but also might have been picked up by someone on the way between the YetiShare server and the E-mail server of the user. Preferably the user should get a link which forces them to create their own password, and then said link should expire. Or the password that is sent should force the user to create a new password during their first login.

Referer leaks sensitive data v3.5.2 — v4.5.4

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20060

YetiShare has support for ads, and has a host for images already configured by default (Although it doesn’t seem to work so not sure if it’s old functionality or not). Either way sensitive URLs like links to administrate or delete private files, or the link used when resetting a password, can all be leaked via this header to third parties.

Here a link to delete a private file is leaked to the dreamhost.com
In this example the hash used to reset an account password is leaked to dreamhost.com

That’s all for now. More in the queue though 😁

I program, hack, and write odd stories. I currently work for an IT-security company called Defensify.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store