SWS Vuln (small but important to those using it.)

From: BrainRawt . (brainrawt@hotmail.com)
Date: 04/12/02


From: "BrainRawt ." <brainrawt@hotmail.com>
To: bugtraq@securityfocus.com
Date: Fri, 12 Apr 2002 02:07:54 +0000


--------------------------------------------------------------------
Dear Bugtraq Readers,

I wasn't sure if this advisory deserved space on the bugtraq mailing
list but as a friend of mine helped me to remember. "All security flaws are
important no matter what their size". I guess ill go ahead,
hit send and let you decide.

-BrainRawt
--------------------------------------------------------------------

SWS (StepWeb Search Engine) Administrative Access Vulnerability
Disovered By BrainRawt.

Vulnerable: SWS 2.5 (free version) and possibly others. SWS Gold
            maybe?

About SWS:
----------------
SWS is a search engine downloadable at www.stepweb.com, that can
find one or more words in a flat file database where URLs have been
and then prints the results to the screen in an html format.

Vendor Contact:
----------------
4-01-02 - An email was sent to stepweb.com discussing this issue.

          No Reply Yet!!!

Vulnerability:
----------------
SWS comes with an administration page that allows one to add/del
addresses to/from the database and allows one to view the log file
that stores all searched items. This page is known as admin.html
can normally be found in the same dir as the search engine itself. This page
is directed to a password protected cgi script known as manager.pl. Not
only does the admin.html point to the manager.pl,
but it also stores the password in the html links as shown below.

http://www.mysite.com/cgi-bin/sws/manager.pl?add&pass=PassWord
http://www.mysite.com/cgi-bin/sws/manager.pl?del&pass=PassWord
http://www.mysite.com/cgi-bin/sws/manager.pl?log&pass=PassWord

Exploit:
----------------
If one was to find the location of the "admin.html" file, that person
could easily add addresses to the search database or view the log file
that stores all searches made by users of the engine. Deletion of
addresses can not be made, for they are individually password protected and
passwords are stored in an unaccessable .dat file.

EXAMPLE: http://www.mysite.com/sws/admin.html and click the links. The
hardcoded links will do the rest. SHEESH!!!!

Fix:
---------------
NONE AT THE TIME OF THIS WRITING!

My advice is to place the admin.html in a directory protected by .htaccess
or rewrite the html so that the user must input the password instead of
click on it. :)

--------------------------------------------------------------------

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx