[VulnWatch] Multible vulnerabilities found in Forum Web Server v1.60

From: matrix@infowarfare.dk
Date: 03/06/03

  • Next message: Gregory Le Bras | Security Corporation: "[VulnWatch] [SCSA-009] Remote Command Execution Vulnerability in PHP Ping"
    Date: Thu,  6 Mar 2003 08:45:09 +0100
    From: matrix@infowarfare.dk
    To: undisclosed-recipients:;
    

                               Multible vulnerabilities
                            found in Forum Web Server v1.60
                             http://www.minihttpserver.net
                             
                              Discovered by Dennis Rand
                                 www.Infowarfare.dk
    ------------------------------------------------------------------------

    SUMMARY
    WebForums Server allows you to setup a bulletin board and photo/file
    xchange web service. It offers a built in HTTP engine, internal database
    engine, integrated HTML/Script pages, user management interface, message
    board engine and a secure file Upload/Download option. It is without a doubt
    the easiest and complet all in one Forum Server software you have seen.

    It is possible to get access to the server files outside the restricted
    area of the server, and make sensitive files public.
    Second there is XSS vulnerability in the Forum area.
    Third it is possible to steal the username and passwords

    DETAILS

    Vulnerable systems:
     Windows NT 4.0 and Windows 2000 server fully patched
     * Forum Web Server v.1.60
     
    Immune systems:
     * Forum Web Server v.1.61

    A command requests allows remote users to break out of restricted
    directories and gain read access to the system directory structure;
    Possibility for getting files from outside restricted areas.
    The server is also vulnerabel to XSS and last but not least
    i've disvovered a information leak to get the user database
    for the Forum Web Server.

    The following transcript demonstrates a sample exploitation of the
    vulnerabilities:
    -------------------------------------------------------------------
    Traversal:
    With in the FileSharing area, press the "Upload new file" button:
    Now in the upload field just insert :

    \\<vuln host>\c$\winnt\repair\sam._

    This will now be uploaded to and area where you can get the sam._
    and then use ex. L0pht Crack for breaking the password.

    XSS:
    When posting or replying to a message in the "Message Forum" it is
    possible to use XSS vulnerability both in the Subject and Message

    ex. insert this into either subject or Message
    <script>alert('I OwN You');</script>
    <img%20src=javascript:alert(document.domain)>
    <script>alert(document.cookie)</script>
    <script>window.open('http://www.infowarfare.dk')</script>

    Information leak:
    It is possible by using the Traversal exploit to get the user names and
    passwords
    from the Forum Web Server
    simply by "uploading" \\<vuln-host>\c$\program Files\web froums server\user.ini
    The Usernames and passwords are in clear text ready to use.
    --------------------------------------------------------------------

    Detection:
    Forum Web Server is vulnerable to the above-described attacks.
    Earlier versions may be susceptible as well. To determine if a specific
    implementation is vulnerable, experiment by following the above
    transcript.

    Vendor response:
    Recived first reply from David yuan (Master@minihttpserver)
    We thank you for the information and will fix this issue as soon as possible.

    Disclosure timeline:
    --------------------
    21/02/2003 Found the Vulnerability.
    21/02/2003 Reported to Vendor (support@minihttpserver.net and
    master@minihttpserver.net)
    21/02/2003 Vendor reply, they now know of the vulnerabilities
    04/03/2003 Fix made public
    06/03/2003 Public Disclosure.

    ADDITIONAL INFORMATION
    The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis Rand

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any
    kind. In no event shall we be liable for any damages whatsoever including
    direct, indirect, incidental, consequential, loss of business profits or
    special damages.

    -------------------------------------------------
    This mail sent through IMP: http://horde.org/imp/


  • Next message: Gregory Le Bras | Security Corporation: "[VulnWatch] [SCSA-009] Remote Command Execution Vulnerability in PHP Ping"

    Relevant Pages

    • Re: Parent Paths
      ... This posting is provided "AS IS" with no warranties, ... > If an upload folder is present, but the Script rights are set to 'None' on> that folder, then this vulnerability should be covered, right? ... They may indeed be able to upload an asp file to your upload folder,> but won't be able to run it. ... unless a malicious user is somehow able to upload a .asp or other>> active file to the server - they could then in theory do just what you're>> doing and use parent paths server-side. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Parent Paths
      ... If an upload folder is present, but the Script rights are set to 'None' on ... > This kind of vulnerability is more common than you may think - if a user ... >> visitors to use PP's in their links to access directories on my server. ...
      (microsoft.public.inetserver.iis.security)
    • SecurityFocus Microsoft Newsletter #142
      ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #139
      ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #140
      ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
      (Focus-Microsoft)