[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] FW: Chili!Soft ASP Multiple Vulnerabilitie s
- Subject: RE: [cobalt-security] FW: Chili!Soft ASP Multiple Vulnerabilitie s
- From: Reinoud van Leeuwen <rvanleeuwen@xxxxxxxxxxxx>
- Date: Thu, 22 Feb 2001 10:29:42 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>
>
> Well here's another one just posted to BugTraq:
>
> I tried the first Example on a Raq4 after starting the
> ChiliSoft ASP server.
>
> http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admi
> n/conf/service
> .pwd
>
> ChiliSoft very politely returns the servers ADMIN and
> encrypted password to
> the browser.
> The ChiliSoft Server Admin Password is the same as the
> Servers Main Admin
> aka Root.
> I don't care to test the other vunerabilities...ChiliSoft is now gone.
> If anyone finds that any of this is really not applicable to
> the Raq4's
> please advise nicely...
> no need to flame.
>
>
> The advisory author states that he advised the vendor (that
> would be Cobalt)
> on December 30, 2000.
> I don't see any ChiliSoft Security updates on the Cobalt site.
It seems Chilisoft does a good job emulating an ASP host! :-) A lot of known
vulnerabilities on NT webservers were in the sample scripts that are
installed by default.
>
>
> Here's the complete advisory:
> ==============================================================
> ==============
> ======
> Author: Stan Bubrouski (stan@xxxxxxxxxxx)
> Date: February 20, 2001
> Package: Chili!Soft ASP
> Versions affected: 3.5.2 and possibly previous versions.
> Severity: (1) A remote user could potentially view sensative
> information
> and
> take remote control of the server. (2) The
> installer installs
> a default username and password for the
> adminstrative console
> if auto-detect of settings is used. (3) There are also
> several
> serious file permissions problems.
>
> Problems:
>
> (1) Chili!Soft ASP ships with samples scripts which are located in
> /opt/casp/caspsamp by default and are installed on
> webservers by default
> accessable via http://<server>/caspsamp/ A sample script named
> codebrws.asp prolly taken from IIS/4.0 originally is
> vulnerable to a
> "../" attack allowing sensative information to be
> revieled to remote
> users. During brief testing I was only able to get the
> script to read
> files on directory above the caspsamp directory which is
> the /opt/casp
> directory by default. This directory contains database
> usernames/passwords, the server logs, and the username/password to
> administration console. With the password to the
> administrative console
> a remote user with web access can remotely manage the server thus
> openning endless possibilies since the console runs as root.
>
> It appears they attempted to prevent people from viewing
> files outside
> the samples directory because when I tried with an url
> not containing
> /caspsamp/ at the begining it would fail and warn me that I'm not
> allowed
> to view files outside the samples directory.
>
> (2) The installer program installs a default username and password for
> adminstration console which is remotely accessable via
> the web. The
> username/password are stored in the file
> /opt/admin/conf/service.pwd
> which is probably the only file installed with the
> correct permissions
> (in this case mode 600).
>
> (3) There are several files installed mode 666 which is a
> serious no-no as
> some logs and configuration files are affected by this.
> On my system the
> following files were installed mode 666:
>
> /opt/casp/logs/install_summary
> /opt/casp/logs/install
> /opt/casp/logs/register
> /opt/casp/logs/server-3000
> /opt/casp/logs/component
> /opt/casp/caspsamp/401K/database/QEDBF.INI
> /opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
> /opt/casp/caspsamp/friendship/client/database/QEDBF.INI
> /opt/casp/caspsamp/QEDBF.INI
> /opt/casp/chilicom/lib/hkey.current.user
> /opt/casp/chilicom/lib/hkey.local.machine
> /opt/casp/INSTALL/.webserver-cache
> /opt/casp/.installed_db
> /opt/casp/admin/conf/hkey.current.user
> /opt/casp/admin/conf/hkey.local.machine
> /opt/casp/admin/logs/server
>
> This may seem bad it gets worse. Most of the files dealing with
> databases such as global_odbc.ini and odbc.ini are all
> world-readable
> and
> thus by default expose passwords administrators may lator
> install to
> local users. All configuration files for the server and
> subsequent
> other
> services offered Chili!Soft ASP are also world-readable
> exposing even
> more useful information to local users.
>
> Examples:
> http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admi
n/conf/service
.pwd
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000
Solution: Remove all references to the sample ASP file in your httpd.conf
and
replace the default admin account. Then change file permissions in
/opt/casp
as your system security dictates (in other words figure it out for yourself)
Vendor Status: Vendor was e-mailed these problems on December 30, 2000.
Copyright ©2001 Stan Bubrouski
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security