OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: BrainRawt . (brainrawthotmail.com)
Date: Thu Apr 11 2002 - 21:07:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------
    Dear Bugtraq Readers,

    I wasn't sure if this advisory deserved space on the bugtraq mailing
    list but as a friend of mine helped me to remember. "All security flaws are
    important no matter what their size". I guess ill go ahead,
    hit send and let you decide.

    -BrainRawt
    --------------------------------------------------------------------

    SWS (StepWeb Search Engine) Administrative Access Vulnerability
    Disovered By BrainRawt.

    Vulnerable: SWS 2.5 (free version) and possibly others. SWS Gold
                maybe?

    About SWS:
    ----------------
    SWS is a search engine downloadable at www.stepweb.com, that can
    find one or more words in a flat file database where URLs have been
    and then prints the results to the screen in an html format.

    Vendor Contact:
    ----------------
    4-01-02 - An email was sent to stepweb.com discussing this issue.

              No Reply Yet!!!

    Vulnerability:
    ----------------
    SWS comes with an administration page that allows one to add/del
    addresses to/from the database and allows one to view the log file
    that stores all searched items. This page is known as admin.html
    can normally be found in the same dir as the search engine itself. This page
    is directed to a password protected cgi script known as manager.pl. Not
    only does the admin.html point to the manager.pl,
    but it also stores the password in the html links as shown below.

    http://www.mysite.com/cgi-bin/sws/manager.pl?add&pass=PassWord
    http://www.mysite.com/cgi-bin/sws/manager.pl?del&pass=PassWord
    http://www.mysite.com/cgi-bin/sws/manager.pl?log&pass=PassWord

    Exploit:
    ----------------
    If one was to find the location of the "admin.html" file, that person
    could easily add addresses to the search database or view the log file
    that stores all searches made by users of the engine. Deletion of
    addresses can not be made, for they are individually password protected and
    passwords are stored in an unaccessable .dat file.

    EXAMPLE: http://www.mysite.com/sws/admin.html and click the links. The
    hardcoded links will do the rest. SHEESH!!!!

    Fix:
    ---------------
    NONE AT THE TIME OF THIS WRITING!

    My advice is to place the admin.html in a directory protected by .htaccess
    or rewrite the html so that the user must input the password instead of
    click on it. :)

    --------------------------------------------------------------------

    _________________________________________________________________
    MSN Photos is the easiest way to share and print your photos:
    http://photos.msn.com/support/worldwide.aspx