Forum Web Server Discloses Files to Remote Users and Passwords to Remote Users Sniffing the Network
|
|
SecurityTracker Alert ID: 1006890
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 31 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 1.6
|
Description: Ziv Kamir reported several vulnerabilities in the Forum Web Server. A remote user can view files on the system. A remote user monitoring the network can obtain user passwords.
It is reported that a remote user can sniff the network between a target web client and the server to view the target user's password.
The server reportedly sets cookies containing the target user's username and password. A demonstration transaction is provided:
Host:
10.10.10.1
Cookie: IDHTTPSESSIONID=3ertf3dsxfy3aqW; UserID=user10; PassWD=0000
It is also reported that a remote user can supply
a URL containing '../' directory traversal characters to view arbitrary files on the system. A demonstration exploit URL is provided:
http://10.10.10.1/../../../boot.
ini
|
Impact: A remote user can view arbitrary files on the system that are readable by the web server.
A remote user can sniff the network to view user passwords.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.minihttpserver.net/home/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (2000), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 30 May 2003 21:35:22 -0400
Subject: Vulnerability Under the Forum Web Server v1.6
|
This is a multi-part message in MIME format.
--------------010208000709050205050001
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: Vulnerability Under the Forum Web Server v1.6
Date: Fri, 30 May 2003 18:06:43 -0700 (PDT)
From: Ziv Kamir <vulncode@yahoo.com>
To: bugs@securitytracker.com
Hi ,
Attach TxT file with Explain .
------------------------------------------------------------------------
Do you Yahoo!?
Free online calendar
<http://us.rd.yahoo.com/mail_us/tag/*http://calendar.yahoo.com> with
sync to Outlook(TM).
--------------010208000709050205050001
Content-Type: text/plain;
name="Web-Forum.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Web-Forum.txt"
30/05/03
Ziv Kamir
---------
-------------------------------------------------------
Application: Forum Web Server
Web Site: http://www.minihttpserver.net
Versions: 1.60
Platform: Windows 2000/xp
Bugs:
1) Clear Text Password Storage Vulnerability .
2) Directory traversal
3) CSS ( Cross Site Scripting )
4) The UserName And Password are Send In clear Text with any Web Page .
Credits:
########
#################################
# #
# Ziv Kamir #
# #
# Email : vulncode@yahoo.com #
# #
# #
#################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Forum Web Server is a all in one Web Server for create your Forums system. Web Forums Server need no
t any other database server or
CGI server. You need not write any HTML code or database code too.
Web Forums Server have a build in User manage system, Message Board system, ShareFile System ,Share P
hoto System . Such as the User
mamage system you can control all user and what message they post.
Web Forums Server have a power search engine too, all user can search any message from browser .
=======
2) Bug
=======
-----------------------------------------------------------------------------------------------------
---------------------
1)
Forum Web Server stores all usernames and passwords in the file \Program Files\Web Froums Server\Use
r.ini in clear text. If a malicious
user were to gain access to this file, they would have a list of all usernames and their associated
passwords.
-----------------------------------------------------------------------------------------------------
---------------------
2)
Forum Web Server suffers from Directory traversal and with the first Vulnerability ( Clear Text Pass
word ) any remote attacker
can view Any username and Password Under the Forum Web Server Or Read Files on the System .
-----------------------------------------------------------------------------------------------------
----------------------
3)
Forum Web Server suffers from CSS ( Cross Site Scripting ) any user that can post a Message Under th
e "Message Forum" Option Can
Post "CSS" message .
-----------------------------------------------------------------------------------------------------
----------------------
4)
Any One that can Sniffing the Relevant Network Tunnel Can View The UserName And Password in Clear Tex
t .
Example:
********
Host: 10.10.10.1
Cookie: IDHTTPSESSIONID=3ertf3dsxfy3aqW; UserID=user10; PassWD=0000
-----------------------------------------------------------------------------------------------------
-----------------------
===========
3) The Code
===========
Directory traversal
===================
http://10.10.10.1/../user.ini ( To Get The Usernames And Passwords )
Or
http://10.10.10.1/../../../boot.ini
CSS
====
any user that can post a Message Under the "Message Forum" Can post something like this :
<script>alert("C.S.S")</script>
Or
<script>alert("document.cookie")</script>
======
4) Fix
======
Date of Vendor Notification:
30/05/03
Status:
===========================================================
*** The Data is for educational purpose only. ***
===========================================================
--------------010208000709050205050001--
|
|
