[NT] APG Classmaster Weak Permissions

From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/05

  • Next message: SecuriTeam: "[NEWS] Gecko Based Browsers HTTP Authentication Prompt Vulnerability" 
    To: list@securiteam.com
Date: 11 May 2005 15:16:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      APG Classmaster Weak Permissions
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.apgtechnology.co.uk/classmaster/classmaster.htm> APG
    ClassMaster is "Edutec s Educational Networking Solution, that delivers
    unrivalled levels of usability and functionality to classroom networks.
    With its powerful tools and simple user friendly interface, ClassMaster
    minimizes the administration load on teachers and network managing staff
    alike, it turns ICT into a powerful teaching tool and enhances the
    experience of using ICT for all concerned."

    Access to APG's Classmaster subfolders is not properly limited, allowing
    access to shares with full permissions over a LAN.

    DETAILS

    This vulnerability affects all APG Classmaster Workstation versions. It
    remains a problem as an attacker can access shares with full permissions
    over a LAN.

    An attackers needs to issue a simple command in an MSDOS prompt (using the
    net windows application), mapping an account to a specified drive, as
    below:
    net use [drive]: \\[server]\[user]$

    A 'dir' command at this stage gives an access denied error. Knowing the
    name of the files area (which will be the same for each user) can lead to
    changing directory to that folder.

    cd 'My files'
    An attacker now has full permissions on a selected users 'my files' area.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:alex_@_exploitthissite.org>
    Alex Garrett.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Gecko Based Browsers HTTP Authentication Prompt Vulnerability"

    Relevant Pages

    • [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been discovered in phpSysInfo allowing ... the attacker to additionally inject the $lng parameter. ... $sensor_program can *still* be used to inject active ...
      (Securiteam)
    • [NT] Directory Traversal In CProxy
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... directory traversal attack and thus gain access to arbitrary files located ... on the CProxy Server system. ... filtering allows a remote attacker to gain attack to arbitrary files on ...
      (Securiteam)
    • [UNIX] KDE URI handler vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A bug in KDE can be used by an attacker to create or truncate arbitrary ... The KDE URI handler does not perform adequate filtering ...
      (Securiteam)
    • [NT] PicoWebServer Unicode Stack Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability has been discovered in PicoWebServer, ... exploiting this vulnerability allows a remote attacker to run arbitrary ... an attacker can trigger a stack overflow and cause the ...
      (Securiteam)
    • [NEWS] @Mail Web Interface Multiple Security Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker to point it to mailbox of any registered user in @Mail system. ... Vulnerability 2: SQL database install - Multiple SQL Injection ...
      (Securiteam)