[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040824154251.21637.qmail@www.securityfocus.com>
Date: 24 Aug 2004 15:42:51 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: WebAPP directory traversal and ability to retrieve the DES
encrypted password hash
WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :
-Easy to Install on standard Unix servers!
(Windows user-supported only!)
-User Profiles
-Message forums
-Private messaging between members
-Blog-style News Articles
-Links and Downloads
-Customizable themes
-Multiple language support
-Flat-file System-NO SQL DATABASE!
-Membership controls
-Open source
Several user mods are also available which ranges from chat
to e-commerce applications.
Several vulnerabilities in these mods have already been
discovered.
The WebAPP system itself has a serious reverse directory
traversal vulnerability.
Example..
1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/
2) Click on Articles on the main menu at the left side of
the screen
3) Click on any of the icons representing the misc topics
available /i chose the "bugs" section/
4) You'll wind up with the url "http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs"
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00"
5)View the html source for the page
A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00"
View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"></a></td>
"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it
Every user would have a corresponding .dat file within the
db/members directory
PhTeam Release
Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball
Powered by blists - more mailing lists