lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BAY10-DAV162825D43DA2B12230C73DD91E0@phx.gbl>
Date: Mon May  9 13:54:59 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: H-Sphere

------------------------------------------------------------
       - EXPL-A-2005-007 exploitlabs.com Advisory 036 -
------------------------------------------------------------
                      - H-Sphere -






AFFECTED PRODUCTS
=================
H-Sphere Winbox

Positive Software Corporation
https://www.psoft.net




OVERVIEW
========
H-Sphere is a scalable multiserver web hosting solution.
 It has many advanced features and a sophisticated billing
 system to automate and improve your web hosting tasks.
 H-Sphere was designed to work on many servers and can be
 scaled by adding more web, mail, database, and DNS servers
 without any downtime. It provides a simple, easy-to-use web
 interface that can be maintained from any computer with
 internet connection. H-Sphere was written in Java and works
 with any SQL-compliant database.




DETAILS
=======
1. local user/pass information disclosure




Item 1
---------

While performing administration duties for domain management,
HSPHERE writes log information containing domain information
and user/password combinations.

C:\HSphere.NET\log

action.log <--- stores user/pass
resources.log <--- stores user/pass

example:
[0/00/2005 0:00:00 AM] Thread: 0000; Requested method "account.update" with
parameters resourcename=account, username=theuser, password=thepassword


on windows machines running HSPHERE, the default install
does not restrict permissions to this folder, allowing
less priveleged users to read account information.



SOLUTION:
=========
Psoft has been contacted and a patch released
it is available at:

http://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html


Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner

mail:   wood at exploitlabs.com
mail:	morning_wood at zone-h.org
-- 
web:	http://exploitlabs.com
web:	http://zone-h.org

http://exploitlabs.com/files/advisories/EXPL-A-2005-007-hsphere.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ