[UNIX] SWS Administrative Access Vulnerability
From: support@securiteam.comDate: 04/14/02
- Previous message: support@securiteam.com: "[NEWS] Cisco Security Vulnerability in Aironet Telnet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 14 Apr 2002 21:53:58 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
SWS Administrative Access Vulnerability
------------------------------------------------------------------------
SUMMARY
SWS (StepWeb Search Engine) is a search engine downloadable at
<http://www.stepweb.com> http://www.stepweb.com, that can find one or more
words in a flat file database where URLs have been and then prints the
results to the screen in an HTML format. A security vulnerability in the
product allows remote attackers to discover the administrative password
for the product by accessing a URL, further by knowing the password it is
possible to manage the user database, and view sensitive information
stored in the log files.
DETAILS
Vulnerable systems:
SWS version 2.5
SWS comes with an administration page that allows one to add/del addresses
to/from the database and allows one to view the log file that stores all
searched items. This page is known as admin.html can normally be found in
the same dir as the search engine itself. This page is directed to a
password protected cgi script known as manager.pl. Not only does the
admin.html point to the manager.pl, but it also stores the password in the
html links as shown below.
http://www.mysite.com/cgi-bin/sws/manager.pl?add&pass=PassWord
http://www.mysite.com/cgi-bin/sws/manager.pl?del&pass=PassWord
http://www.mysite.com/cgi-bin/sws/manager.pl?log&pass=PassWord
Exploit:
If one was to find the location of the "admin.html" file, that person
could easily add addresses to the search database or view the log file
that stores all searches made by users of the engine. Note though that
deletion of addresses cannot be made, for they are individually password
protected and passwords are stored in an inaccessible .dat file.
Example:
http://www.mysite.com/sws/admin.html and click the links. The hard coded
links will do the rest.
Fix:
Our advice is to place the admin.html in a directory protected by
htaccess or rewrite the HTML so that the user must input the password
instead of click on it.
ADDITIONAL INFORMATION
The information has been provided by <mailto:brainrawt@hotmail.com>
BrainRawt.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Cisco Security Vulnerability in Aironet Telnet"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
