| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <427F7E71.6050307@digitalmunition.com> Date: Mon May 9 16:12:14 2005 From: kf_lists at digitalmunition.com (KF (lists)) Subject: H-Sphere In some cases the unix hsphere installer leaves the user unixtest with a pass of unixtest1 and ftptest with a pass of ftptest1 laying behind. These accounts usually have a normal shell access. This software is NOT very fun to work with from an admin standpoint! -KF Morning Wood wrote: >------------------------------------------------------------ > - EXPL-A-2005-007 exploitlabs.com Advisory 036 - >------------------------------------------------------------ > - H-Sphere - > > > > > > >AFFECTED PRODUCTS >================= >H-Sphere Winbox > >Positive Software Corporation >https://www.psoft.net > > > > >OVERVIEW >======== >H-Sphere is a scalable multiserver web hosting solution. > It has many advanced features and a sophisticated billing > system to automate and improve your web hosting tasks. > H-Sphere was designed to work on many servers and can be > scaled by adding more web, mail, database, and DNS servers > without any downtime. It provides a simple, easy-to-use web > interface that can be maintained from any computer with > internet connection. H-Sphere was written in Java and works > with any SQL-compliant database. > > > > >DETAILS >======= >1. local user/pass information disclosure > > > > >Item 1 >--------- > >While performing administration duties for domain management, >HSPHERE writes log information containing domain information >and user/password combinations. > >C:\HSphere.NET\log > >action.log <--- stores user/pass >resources.log <--- stores user/pass > >example: >[0/00/2005 0:00:00 AM] Thread: 0000; Requested method "account.update" with >parameters resourcename=account, username=theuser, password=thepassword > > >on windows machines running HSPHERE, the default install >does not restrict permissions to this folder, allowing >less priveleged users to read account information. > > > >SOLUTION: >========= >Psoft has been contacted and a patch released >it is available at: > >http://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html > > >Credits >======= >This vulnerability was discovered and researched by >Donnie Werner of exploitlabs > >Donnie Werner > >mail: wood at exploitlabs.com >mail: morning_wood at zone-h.org > >
Powered by blists - more mailing lists