Security Vulnerabilities

.inc File Vulnerability

Background

dadaIMC is content management software for the development of an Independent Media Center site.

Description

dadaIMC prior to version .99 stores database connectivity information in a file named "imc_dbinfo.inc" in the root directory of the site. The dadaIMC documentation indicates that Apache's configuration file should prevent ".inc" files from being served, but some system administrators may not have taken -- or may not be able to take -- the necessary precautions. This means that the file "imc_dbinfo.inc" may be viewed in a regular web browser, exposing database connectivity information (including username and password) to potential attackers.

Analysis

Exploitation allows for an attacker to gain access to the username and password used by dadaIMC for database connectivity. On a server whose MySQL configuration allows connections from remote hosts, this opens the entire dadaIMC database up to manipulation.

Detection

All versions of dadaIMC prior to .99 are vulnerable.

Workaround

Aside from upgrading to version .99 of dadaIMC, there are 2 workarounds for this issue:

Modify Apache's httpd.conf file to include a directive indicating that files ending in ".inc" should not be served:

<Files ~ "\.inc$">
 Order allow,deny
 Deny from all
</Files>

This directive may also be placed in a .htaccess file at the root level of your site.

Alternately, you may rename the file "imc_dbinfo.inc" to "imc_dbinfo.php". This requires that you edit the /imc_classes/imc_master_includes.inc and /imc_classes/imc_Prefs.inc files also. In imc_master_include.inc , change the

require_once('imc_dbinfo.inc')

require_once('imc_dbinfo.php')

In the imc_Prefs.inc file, find the update() function, locate the "Administrative/default" case, and change 3 instances of "imc_dbinfo.inc" to "imc_dbinfo.php" (in 1 comment, 1 filename, 1 echo command).