Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Enceladus Server Suite Bugs Disclose Passwords to Local Users and Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1006960
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 9 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 3.9.11
|
Description: Ziv Kamir reported several flaws in Enceladus Server Suite. A local user can view passwords. A remote authenticated user can view a restricted password file. A remote user can also conduct cross-site scripting attacks.
It is reported that usernames and passwords are stored in clear text in the '\Program Files\enceladus\users' directory. A separate
file is used for each user and contains the user's password. A local user can view the files to obtain user passwords.
It is
also reported that the GuestBook feature does not properly filter HTML code from user-supplied input in the 'E-mail Address' or
'Comments' fields. A remote user can enter a specially crafted value into these fields so that when a target user views the GuestBook,
arbitrary scripting code will be executed by the target user's browser. The code will originate from the site running the Enceladus
software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies
(including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web
form to the site, or take actions on the site acting as the target user.
It is also reported that a remote user with download
privileges can read the 'htaccess.txt' file, which reportedly the usernames and passwords of users that have access to the "Secure
Download" Folder. A demonstration exploit URL is provided:
http://[target]/secure-downloads/htaccess.txt
The vendor has
reportedly been notified (on June 9, 2003).
|
Impact: A local user can view passwords.
A remote user can access the target user's cookies (including authentication cookies), if any,
associated with the site running the Enceladus software, access data recently submitted by the target user via web form to the site,
or take actions on the site acting as the target user.
A remote authenticated user with download privileges can access the download
folder's password file [Editor's note: It is not clear whether the passwords in this file are encrypted or not.]
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.mollensoft.com/product3.htm (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Ziv Kamir <vulncode@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 9 Jun 2003 07:58:33 -0700 (PDT)
From: Ziv Kamir <vulncode@yahoo.com>
Subject: Vulnerability in the Enceladus Server Suite
|
This is a multi-part message in MIME format.
--------------050701020602090506000909
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi ,
Attach TxT file .
------------------------------------------------------------------------
Do you Yahoo!?
The New Yahoo! Search
<http://us.rd.yahoo.com/search/mailsig/*http://search.yahoo.com> -
Faster. Easier. Bingo.
--------------050701020602090506000909
Content-Type: text/plain;
name="Enceladus.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Enceladus.txt"
09/06/03
Ziv Kamir
---------
-------------------------------------------------------
Application: Enceladus Server Suite
Web Site: http://www.mollensoft.com
Versions: 3.9.11
Platform: Windows
Bugs:
1) Clear Text Password Storage Vulnerability .
2) CSS ( Cross Site Scripting )
3) Read the htaccess.txt file Under the "Secure File Download" Folder
Credits:
########
#################################
# #
# Ziv Kamir #
# #
# Email : vulncode@yahoo.com #
# #
# #
#################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Enceladus Server Suite is an Internet/Intranet lightweight Web and FTP Server for Windows, provides s
ecure file sharing on any network!
Perfect for Broadband, Cable Modem, Small business and Personal Use.
=======
2) Bug
=======
1) Enceladus Server Suite stores all usernames and passwords under the Folder \Program Files\enceladu
s\users in clear text.
Under the folder there is a File For each User ( the file name is The UserName ) And inside the fi
le The PassWord .
2) Any Remote user Can "Sign The GuestBook" with CSS ( under the "E-mail Address"
Field Or Under the "Comments" Field .
3) Any authorized user that have the Securiy Right to download files from the "Secure File Downl
oads" Can read the htaccess.txt file
which Contains all the usernames and thier passwords to the "Secure Download" Folder.
===========
3) The Code
===========
3) http://10.10.10.1/secure-downloads/htaccess.txt
======
4) Fix
======
Date of Vendor Notification:
09-06-03
Status:
==============================================================================================
*** The Data is for educational purpose only. ***
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages.
==============================================================================================
--------------050701020602090506000909--
|
|
Go to the Top of This SecurityTracker Archive Page
|
