OSVDB: 4081
CVE: CAN-2002-0324
BID: 4169
X-Force: 8277
Bugtraq: Archive
Vendor: Greymatter
From: security curmudgeon (jericho@attrition.org) To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Sun, 24 Feb 2002 18:26:12 -0500 (EST) Subject: Greymatter 1.21c and earlier - remote login/pass exposure Software: Greymatter 1.21c and earlier Vulnerability: Remote administrator login/password exposure Vendor Status: Notified [0] I originally saw this posted on Metafilter [1] and linked to a two line description [2]. As with many other attacks, you can google for a specific file and find vulnerable sites all over. I did a quick check and found 4 vulnerable out of the first 10 google reported back. Anyway, since I have very limited experience with Greymatter (GM), and I have reported one security bug to the author before, I typed up some more notes on the bug. This will be fairly easy to catch using whisker/nikto if people use default installs (which is common). At the time of this post, Nikto [3] has been updated to look for the existance of Greymatter. The big sign of GM being present is /cgi-bin/gm.cgi .. that is the greymatter login screen and odds are GM is being run as root. Just getting the password will let you post to the blogger, erase entries, upload files and more. However, there are a lot of CGIs (listed below) associated with the package, many could be vulnerable to the older attacks. In the past I notified the author of a bug related to the password being stored in cleartext on the server, so that any local user could read it. This was actually discovered looking at the access_log of apache. When rebuilding the GM threads/pages, it will include the login name and password in the HREF. A simple grep of "password" through access_logs, or snooping through the GM install dirs will find the administrator login for GM. This prompted me to look at the cause of the HREF, and lead me to note that many of the GM files are mode 666 by default. The author acknowledged the vulnerability and indicated he rarely (if ever) supports the package. Many people are moving to Movable Type [4] which imports GM material and is being actively maintained. Movable Type apparently worries about security more as well. For those still using GM, there is user based support/upgrades/patches available [5]. The Greymatter home page can be found at http://noahgrey.com/greysoft/. About Greysoft from their page: Greymatter is the original^×and still the world's most popular^×opensource weblogging and journal software. With fully-integrated comments, searching, file uploading and image handling, completely customisable output through dozens of templates and variables, multiple author support, and many other features, Greymatter remains the weblog/journal program of choice for tens of thousands of people around the world. -- From the original post about the vulnerability [2]: How to hack greymatter driven sites Just search for a file called "gmrightclick" in google and download a file called "gmrightclick*.reg" where the stars represent a number. open it and there you have it: Username and Password for everyone to use. -- For those doing pen-testing or looking for the vuln, here are a few signs of greymatter being used: * button "powered by greymatter", links to: http://noahgrey.com/greysoft/ * text that says "greymatter" * default blog string: Posted by@