Re: [Full-disclosure] H-Sphere

From: KF (lists) (kf_lists_at_digitalmunition.com)
Date: 05/09/05

  • Next message: Graham Reed: "Re: [Full-disclosure] Memory leak in DB2 sqlcctcpgetbuffer process, vulnerability or not?" 
    Date: Mon, 09 May 2005 11:14:57 -0400
To: Morning Wood <se_cur_ity@hotmail.com>

    In some cases the unix hsphere installer leaves the user unixtest with a
    pass of unixtest1 and ftptest with a pass of ftptest1 laying behind.
    These accounts usually have a normal shell access.

    This software is NOT very fun to work with from an admin standpoint!

    -KF

    Morning Wood wrote:

    >------------------------------------------------------------
    > - EXPL-A-2005-007 exploitlabs.com Advisory 036 -
    >------------------------------------------------------------
    > - H-Sphere -
    >
    >
    >
    >
    >
    >
    >AFFECTED PRODUCTS
    >=================
    >H-Sphere Winbox
    >
    >Positive Software Corporation
    >https://www.psoft.net
    >
    >
    >
    >
    >OVERVIEW
    >========
    >H-Sphere is a scalable multiserver web hosting solution.
    > It has many advanced features and a sophisticated billing
    > system to automate and improve your web hosting tasks.
    > H-Sphere was designed to work on many servers and can be
    > scaled by adding more web, mail, database, and DNS servers
    > without any downtime. It provides a simple, easy-to-use web
    > interface that can be maintained from any computer with
    > internet connection. H-Sphere was written in Java and works
    > with any SQL-compliant database.
    >
    >
    >
    >
    >DETAILS
    >=======
    >1. local user/pass information disclosure
    >
    >
    >
    >
    >Item 1
    >---------
    >
    >While performing administration duties for domain management,
    >HSPHERE writes log information containing domain information
    >and user/password combinations.
    >
    >C:\HSphere.NET\log
    >
    >action.log <--- stores user/pass
    >resources.log <--- stores user/pass
    >
    >example:
    >[0/00/2005 0:00:00 AM] Thread: 0000; Requested method "account.update" with
    >parameters resourcename=account, username=theuser, password=thepassword
    >
    >
    >on windows machines running HSPHERE, the default install
    >does not restrict permissions to this folder, allowing
    >less priveleged users to read account information.
    >
    >
    >
    >SOLUTION:
    >=========
    >Psoft has been contacted and a patch released
    >it is available at:
    >
    >http://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html
    >
    >
    >Credits
    >=======
    >This vulnerability was discovered and researched by
    >Donnie Werner of exploitlabs
    >
    >Donnie Werner
    >
    >mail: wood at exploitlabs.com
    >mail: morning_wood at zone-h.org
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Graham Reed: "Re: [Full-disclosure] Memory leak in DB2 sqlcctcpgetbuffer process, vulnerability or not?"
    • Quantcast