[UNIX] Cobalt Qube 3 Administration Page InsecurityFrom: firstname.lastname@example.org
- Previous message: email@example.com: "[NT] VMWare GSX Server Remote Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: firstname.lastname@example.org To: email@example.com Date: Thu, 25 Jul 2002 12:05:17 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cobalt Qube 3 Administration Page Insecurity
Several security vulnerabilities have been found in the Cobalt Qube 3
product, the vulnerabilities would allow an attacker to bypass the
authentication mechanism gaining administrative privileges and to delete
any file they want.
Cobalt Qube 3 release 6.0 (Kernel 2.2.16C7)
Problem 1: Local Privilege Escalation to Admin
Any user with ability to create file in any location of a Cobalt server
will be able to promote to Admin access of the System Management. A user
may create a file in /tmp/test and constructed a cookie to login as Admin
Create dummy session file in Cobalt server:
$ printf "admin" > /tmp/test
Login without password from anywhere:
$ curl -b sessionId=/../../../../../../tmp/test\;loginName=admin
Problem 2: Remote User access
By using the account name of newly created user, we can bypass the
authentication without a need to create dummy session file in the server:
$curl -b sessionId=../codb/objects/4/.name\;loginName=admin
Problem 3: Remotely delete files
It is possible to delete file from the server by specifying the path to
the file and the first 31 characters of the file. The following example
will delete the /etc/passwd file from the server:
Modify file /usr/sausalito/ui/libPhp/ServerScriptHelper.php:
$sessionId = ereg_replace("\.\.","",$sessionId);
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.