OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stan Bubrouski (stanCCS.NEU.EDU)
Date: Tue Feb 20 2001 - 16:35:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Author: Stan Bubrouski (stanccs.neu.edu)
    Date: February 20, 2001
    Package: Chili!Soft ASP
    Versions affected: 3.5.2 and possibly previous versions.
    Severity: (1) A remote user could potentially view sensative information and
                  take remote control of the server. (2) The installer installs
                  a default username and password for the adminstrative console
                  if auto-detect of settings is used. (3) There are also several
                  serious file permissions problems.

    Problems:

    (1) Chili!Soft ASP ships with samples scripts which are located in
        /opt/casp/caspsamp by default and are installed on webservers by default
        accessable via http://>/caspsamp/ A sample script named
        codebrws.asp prolly taken from IIS/4.0 originally is vulnerable to a
        "../" attack allowing sensative information to be revieled to remote
        users. During brief testing I was only able to get the script to read
        files on directory above the caspsamp directory which is the /opt/casp
        directory by default. This directory contains database
        usernames/passwords, the server logs, and the username/password to
        administration console. With the password to the administrative console
        a remote user with web access can remotely manage the server thus
        openning endless possibilies since the console runs as root.

        It appears they attempted to prevent people from viewing files outside
        the samples directory because when I tried with an url not containing
        /caspsamp/ at the begining it would fail and warn me that I'm not allowed
        to view files outside the samples directory.

    (2) The installer program installs a default username and password for
        adminstration console which is remotely accessable via the web. The
        username/password are stored in the file /opt/admin/conf/service.pwd
        which is probably the only file installed with the correct permissions
        (in this case mode 600).

    (3) There are several files installed mode 666 which is a serious no-no as
        some logs and configuration files are affected by this. On my system the
        following files were installed mode 666:

    /opt/casp/logs/install_summary
    /opt/casp/logs/install
    /opt/casp/logs/register
    /opt/casp/logs/server-3000
    /opt/casp/logs/component
    /opt/casp/caspsamp/401K/database/QEDBF.INI
    /opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
    /opt/casp/caspsamp/friendship/client/database/QEDBF.INI
    /opt/casp/caspsamp/QEDBF.INI
    /opt/casp/chilicom/lib/hkey.current.user
    /opt/casp/chilicom/lib/hkey.local.machine
    /opt/casp/INSTALL/.webserver-cache
    /opt/casp/.installed_db
    /opt/casp/admin/conf/hkey.current.user
    /opt/casp/admin/conf/hkey.local.machine
    /opt/casp/admin/logs/server

        This may seem bad it gets worse. Most of the files dealing with
        databases such as global_odbc.ini and odbc.ini are all world-readable and
        thus by default expose passwords administrators may lator install to
        local users. All configuration files for the server and subsequent other
        services offered Chili!Soft ASP are also world-readable exposing even
        more useful information to local users.

    Examples:
    http://>/caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
    http://>/caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
    http://>/caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
    http://>/caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
    http://>/caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000

    Solution: Remove all references to the sample ASP file in your httpd.conf and
    replace the default admin account. Then change file permissions in /opt/casp
    as your system security dictates (in other words figure it out for yourself)

    Vendor Status: Vendor was e-mailed these problems on December 30, 2000.

    Copyright 2001 Stan Bubrouski