Owl Intranet Engine - bypass admin
From: cdowns (cdowns_at_drippingdead.com)
Date: 05/14/03
- Previous message: jaymz ringler: "Re: Auto-Run CD - Disabling ScreenSavers"
- Next in thread: Rohan Amin: "Re: Owl Intranet Engine - bypass admin"
- Reply: Rohan Amin: "Re: Owl Intranet Engine - bypass admin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 13 May 2003 17:26:39 -0500 To: webappsec@securityfocus.com, pen-test@securityfocus.com
Good Afternoon,
After working on a pen-test this week I came across OWL ( Owl
Intranet Engine ) which is and open source file sharing utility written
in php and run on Apache. I was trying to see where I could possible
Inject, CSS or just plane command line exec.
browse.php which requires("owl.lib.php"), there is a function that
is not checking valid loginame:passwords. So you can view and download
any file on the system, you can also modify them.
I have not gotten to deep into this as I have other things to do as
well. If anyone has any comments please feel free to share. Im pretty
shure you could do a little more;)
If you want to look here is the main hosted site, its ->
http://owl.sourceforge.net/
heres is a sample:
http://www.someplace.com/intranet/browse.php?loginname=whocares&parent=1&expand=1&order=creatorid&sortposted=ASC
Thanks all.
~!>D
--
------------------------------------------
Network Security Engineer
http://www.angrypacket.com
Christopher M Downs,RHCE
cdowns@bigunz.angrypacket.com
char ash[]="\x48\x61\x69\x6C\x20"
"\x74\x6F\x20\x74\x68\x65\x20\x4B"
"\x69\x6E\x67";
-------------------------------------------
---------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
----------------------------------------------------------------------------
- Previous message: jaymz ringler: "Re: Auto-Run CD - Disabling ScreenSavers"
- Next in thread: Rohan Amin: "Re: Owl Intranet Engine - bypass admin"
- Reply: Rohan Amin: "Re: Owl Intranet Engine - bypass admin"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
