[NT] Multiple Vulnerabilities Found in Forum Web Server
From: support@securiteam.com
Date: 03/09/03
- Previous message: support@securiteam.com: "[UNIX] Nuked Klan Arbitrary Code Execution Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 9 Mar 2003 15:00:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Multiple Vulnerabilities Found in Forum Web Server
------------------------------------------------------------------------
SUMMARY
WebForums Server allows you to setup a bulletin board and photo/file
exchange web service. It offers a built in HTTP engine, internal database
engine, integrated HTML/Script pages, user management interface, message
board engine, and a secure file Upload/Download option.
Three vulnerabilities in the server have been found, one allows an
attacker to access files that reside outside the restricted area of the
server. The second allows attackers to insert malicious HTML and
JavaScript into existing web pages (XSS vulnerability). The third makes it
possible to steal the username and password of other users.
DETAILS
Vulnerable systems:
* Forum Web Server version 1.60
Immune systems:
* Forum Web Server version 1.61
Directory Traversal:
Within the FileSharing area, press the "Upload new file" button, now in
the upload field write:
\c$\winnt\repair\sam._
This will now be "uploaded" to the area where you selected.
XSS:
When posting or replying to a message in the "Message Forum" it is
possible to exploit an XSS vulnerability. The vulnerability exists in both
in the Subject and Message property.
Example:
Insert this into either Subject or Message property:
< script>alert('I OwN You');</script>
< img%20src=javascript:alert(document.domain)>
< script>alert(document.cookie)</script>
< script>window.open('http://www.infowarfare.dk')</script>
Information leak:
Using the Traversal vulnerability it is possible to get the whole username
and password file used by the Forum Web Server. This is done by simply
supplying the following "upload file": \\<vuln-host>\c$\program Files\web
forums server\user.ini. The usernames and passwords themselves are stored
in clear text.
Vendor response:
Received first reply from <mailto:Master@minihttpserver> David yuan: "We
thank you for the information and will fix this issue as soon as
possible".
Disclosure timeline:
21/02/2003 Found the Vulnerability.
21/02/2003 Reported to Vendor (support@minihttpserver.net and
master@minihttpserver.net)
21/02/2003 Vendor reply, they now know of the vulnerabilities
04/03/2003 Fix made public
06/03/2003 Public Disclosure.
ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis
Rand.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Nuked Klan Arbitrary Code Execution Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
