OSVDB: 4081
CVE: CAN-2002-0324
BID: 4169
X-Force: 8277
Bugtraq: Archive
Vendor: Greymatter


From: security curmudgeon (jericho@attrition.org)
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Date: Sun, 24 Feb 2002 18:26:12 -0500 (EST)
Subject: Greymatter 1.21c and earlier - remote login/pass exposure



Software: Greymatter 1.21c and earlier
Vulnerability: Remote administrator login/password exposure
Vendor Status: Notified [0]

I originally saw this posted on Metafilter [1] and linked to a two line
description [2]. As with many other attacks, you can google for a specific
file and find vulnerable sites all over. I did a quick check and found 4
vulnerable out of the first 10 google reported back. Anyway, since I have
very limited experience with Greymatter (GM), and I have reported one
security bug to the author before, I typed up some more notes on the bug.
This will be fairly easy to catch using whisker/nikto if people use
default installs (which is common). At the time of this post, Nikto [3]
has been updated to look for the existance of Greymatter. The big sign of
GM being present is /cgi-bin/gm.cgi .. that is the greymatter login screen
and odds are GM is being run as root. Just getting the password will let
you post to the blogger, erase entries, upload files and more. However,
there are a lot of CGIs (listed below) associated with the package, many
could be vulnerable to the older attacks. 

In the past I notified the author of a bug related to the password being
stored in cleartext on the server, so that any local user could read it.
This was actually discovered looking at the access_log of apache. When
rebuilding the GM threads/pages, it will include the login name and
password in the HREF. A simple grep of "password" through access_logs, or
snooping through the GM install dirs will find the administrator login for
GM. This prompted me to look at the cause of the HREF, and lead me to note
that many of the GM files are mode 666 by default. The author acknowledged
the vulnerability and indicated he rarely (if ever) supports the package.
Many people are moving to Movable Type [4] which imports GM material and
is being actively maintained. Movable Type apparently worries about
security more as well. For those still using GM, there is user based
support/upgrades/patches available [5]. The Greymatter home page can be
found at http://noahgrey.com/greysoft/.

About Greysoft from their page: 

Greymatter is the original^×and still the world's most popular^×opensource
weblogging and journal software.  With fully-integrated comments,
searching, file uploading and image handling, completely customisable
output through dozens of templates and variables, multiple author support,
and many other features, Greymatter remains the weblog/journal program of
choice for tens of thousands of people around the world. 

--

From the original post about the vulnerability [2]: 

How to hack greymatter driven sites

Just search for a file called "gmrightclick" in google and download a file
called "gmrightclick*.reg" where the stars represent a number. open it and
there you have it: Username and Password for everyone to use.

--

For those doing pen-testing or looking for the vuln, here are a few signs
of greymatter being used: 

* button "powered by greymatter", links to: http://noahgrey.com/greysoft/
* text that says "greymatter" 
* default blog string: Posted by  @ 

main page ATTRITION feedback