Forum Web Server Discloses Files to Remote Users and Passwords to Remote Users Sniffing the Network
|
|
SecurityTracker Alert ID: 1006890 |
|
SecurityTracker URL: http://securitytracker.com/id/1006890
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 31 2003
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 1.6
|
Description:
Ziv Kamir reported several vulnerabilities in the Forum Web Server. A remote user can view files on the system. A remote user monitoring the network can obtain user passwords.
It is reported that a remote user can sniff the network between a target web client and the server to view the target user's password. The server reportedly sets cookies containing the target user's username and password. A demonstration transaction is provided:
Host: 10.10.10.1
Cookie: IDHTTPSESSIONID=3ertf3dsxfy3aqW; UserID=user10; PassWD=0000
It is also reported that a remote user can supply a URL containing '../' directory traversal characters to view arbitrary files on the system. A demonstration exploit URL is provided:
http://10.10.10.1/../../../boot.ini
|
Impact:
A remote user can view arbitrary files on the system that are readable by the web server.
A remote user can sniff the network to view user passwords.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.minihttpserver.net/home/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Windows (2000), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 30 May 2003 21:35:22 -0400
Subject: Vulnerability Under the Forum Web Server v1.6
|
This is a multi-part message in MIME format.
--------------010208000709050205050001
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: Vulnerability Under the Forum Web Server v1.6
Date: Fri, 30 May 2003 18:06:43 -0700 (PDT)
From: Ziv Kamir <vulncode@yahoo.com>
To: bugs@securitytracker.com
Hi ,
Attach TxT file with Explain .
------------------------------------------------------------------------
Do you Yahoo!?
Free online calendar
<http://us.rd.yahoo.com/mail_us/tag/*http://calendar.yahoo.com> with
sync to Outlook(TM).
--------------010208000709050205050001
Content-Type: text/plain;
name="Web-Forum.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="Web-Forum.txt"
30/05/03
Ziv Kamir
---------
-------------------------------------------------------
Application: Forum Web Server
Web Site: http://www.minihttpserver.net
Versions: 1.60
Platform: Windows 2000/xp
Bugs:
1) Clear Text Password Storage Vulnerability .
2) Directory traversal
3) CSS ( Cross Site Scripting )
4) The UserName And Password are Send In clear Text with any Web Page .
Credits:
########
#################################
# #
# Ziv Kamir #
# #
# Email : vulncode@yahoo.com #
# #
# #
#################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Forum Web Server is a all in one Web Server for create your Forums system. Web Forums Server need not any other database server or
CGI server. You need not write any HTML code or database code too.
Web Forums Server have a build in User manage system, Message Board system, ShareFile System ,Share Photo System . Such as the User
mamage system you can control all user and what message they post.
Web Forums Server have a power search engine too, all user can search any message from browser .
=======
2) Bug
=======
--------------------------------------------------------------------------------------------------------------------------
1)
Forum Web Server stores all usernames and passwords in the file \Program Files\Web Froums Server\User.ini in clear text. If a malicious
user were to gain access to this file, they would have a list of all usernames and their associated passwords.
--------------------------------------------------------------------------------------------------------------------------
2)
Forum Web Server suffers from Directory traversal and with the first Vulnerability ( Clear Text Password ) any remote attacker
can view Any username and Password Under the Forum Web Server Or Read Files on the System .
---------------------------------------------------------------------------------------------------------------------------
3)
Forum Web Server suffers from CSS ( Cross Site Scripting ) any user that can post a Message Under the "Message Forum" Option Can
Post "CSS" message .
---------------------------------------------------------------------------------------------------------------------------
4)
Any One that can Sniffing the Relevant Network Tunnel Can View The UserName And Password in Clear Text .
Example:
********
Host: 10.10.10.1
Cookie: IDHTTPSESSIONID=3ertf3dsxfy3aqW; UserID=user10; PassWD=0000
----------------------------------------------------------------------------------------------------------------------------
===========
3) The Code
===========
Directory traversal
===================
http://10.10.10.1/../user.ini ( To Get The Usernames And Passwords )
Or
http://10.10.10.1/../../../boot.ini
CSS
====
any user that can post a Message Under the "Message Forum" Can post something like this :
<script>alert("C.S.S")</script>
Or
<script>alert("document.cookie")</script>
======
4) Fix
======
Date of Vendor Notification:
30/05/03
Status:
===========================================================
*** The Data is for educational purpose only. ***
===========================================================
--------------010208000709050205050001--
|
|
