YetiShare 3.5.2 — 4.5.4 Multiple vulnerabilities
So previously I wrote about a few vulnerabilities that I found in YetiShare ( https://medium.com/@jra8908/yetishare-3-5-2-4-5-3-multiple-vulnerabilities-2d01d0cd7459) and during the process of testing the fixes that were made, I found a few more. These have been cleared to write about now, so here they are 😊.
SQL injection in multiple places v3.5.2–v4.5.4
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2019–20059
Github: https://github.com/jra89/CVE-2019-20059
The previous patch missed a few spots, which have been mitigated in the version 4.5.5 of YetiShare. So it’s pretty much the same thing, that someone logged in as an Administrator can perform an SQL injection, or someone can send a crafted link to an Administrator and have them click it, executing the injected SQL.
[00:19:10] [INFO] testing connection to the target URL
[00:19:10] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: sSortDir_0 (GET)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Type: time-based blind
Title: MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)
---
[00:19:10] [INFO] testing MySQL
[00:19:10] [INFO] confirming MySQL
[00:19:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.0
[00:19:10] [INFO] fetching current user
[00:19:10] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:19:10] [INFO] retrieved: root@localhost
current user: 'root@localhost'Reset password hash never expires v3.5.2 — v4.5.4
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20062
In my previous post about the password reset hash I wrote a script that would brute force the hash and reset the administrators password. This has since been fixed in version 4.5.5, but the hash never expires which still poses a small risk of someone getting their hands on an old hash and resetting the account password.
New user gets password in E-mail v3.5.2 — v4.5.4
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20061
When a new account is created a password is generated and then sent via E-mail to the user. In many cases this password will stay the same and not only stay inside of the users inbox but also might have been picked up by someone on the way between the YetiShare server and the E-mail server of the user. Preferably the user should get a link which forces them to create their own password, and then said link should expire. Or the password that is sent should force the user to create a new password during their first login.
Referer leaks sensitive data v3.5.2 — v4.5.4
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20060
YetiShare has support for ads, and has a host for images already configured by default (Although it doesn’t seem to work so not sure if it’s old functionality or not). Either way sensitive URLs like links to administrate or delete private files, or the link used when resetting a password, can all be leaked via this header to third parties.
That’s all for now. More in the queue though 😁
