There is also a buffer overrun in the logging code and a MAJOR hole in the mailit script that allow for remote execution of system commands. In both cases I have notified Tod Sambar and they are hopefully fixed. -----Original Message----- From: Michiel de Weerd [SMTP:webmasterat_private] Sent: Wednesday, June 10, 1998 12:13 PM To: BUGTRAQat_private Subject: Sambar Server Beta BUG.. Sambar Server Beta's have a serious bug! it is possible to view the victim's HDD. This is how it's done: Asume you find a computer running Sambar Server by searching the Internet with these key-words: +sambar +server +v4.1 If you find a site like: http://www.site.net/ then do a test, run a little perl script... http://www.site.net/cgi-bin/dumpenv.pl Now you see the complete environment of the victims computer, including his path. Now you can try to login as the administrator by adding this to the url: /session/adminlogin?RCpage=/sysadmin/index.stm so: http://www.site.net/session/adminlogin?RCpage=/sysadmin/index.stm The default login is: admin and the default password is blank. If the victim hasn't changed his settings, you now can control his server. Another feature is to view the victims HDD. If you were able to run the perl script you should also be able (in most cases) to view directory's from his path. Most people have c:/program files and c:/windows in the path line, so what you can do is: http://www.site.net/c:/program files/sambar41 FIX: 1) Upgrade to a non-beta version of Sambar Server. 2) Don't alow directory browsing if index.html or default.html isn't found. 3) Change the admin username and password before someone else changes it for you. CC to Tod Sambar - http://www.sambar.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:23 PDT