RE: Hosting Directory Traversal madness...

From: Phuong Nguyen (dphuongat_private)
Date: Tue Mar 19 2002 - 06:52:50 PST

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited"

Previous message: Charles-Edouard Ruault: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Guys,

I'm sorry, it's my bad not to tell which platform and
version i tested on. I tested on Windows 2000, version
1.4.1 with all patches applied, probably affected
previous versions as well.

Phuong

--- "Shannon.ONeil" <Shannon.ONeilat_private> wrote:
> Phoung,
> 
> What is the platform, please?
> 
> 
> -----Original Message-----
> From: Phuong Nguyen [mailto:dphuongat_private]
> Sent: Monday, March 18, 2002 16:44
> To: bugtraqat_private
> Subject: Hosting Directory Traversal madness...
> 
> 
> Hosting Controller directory traversal (/../)
> madness
> 
> Date 03/14/2002
> 
> Some hosting providers mailed me and asked me to do
> a
> bit more researches about Hosting Controller, they
> said their clients' sites have been deleted
> mysteriously, and defacement still happens quite at
> large even though they have applied all the patches.
> So here's what i found.
> 
> Bug #1
> 
> File_editor.asp allows clients to edit their web
> pages
> online, without the need to download, edit the pages
> and re-upload using FTP. File_editor.asp is
> vulnerable
> to the /../ which allows attacker to breakout his
> root
> path and edit any files on the hosts. 
> 
> Bug #2
> 
> Folderactions.asp is also vulnerable to dot dot
> slash
> /../, allows attacker to create, delete, files,
> directories on the server at his choice. This is
> rather dangerous because Hosting Controller does not
> perform proper permission checking and user right
> checking so the attacker can delete anything he
> wants,
> the current patches from Hosting Controller do NOT
> fix
> this. 
> 
> If you combine those two bugs together then you
> actually can compromise the server. I won't explain
> to
> you how to do that in order to protect the Hosting
> Controllers' users. 
> 
> Fix:
> 
> I attached the fixed version of folderactions.asp
> and
> file_editor.asp. All you need to do is replace your
> old *.asp files with these one.
> 
> Vendor has been contacted.
> 
> Phuong Nguyen
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.12] Open UNIX, UnixWare 7: rpc.cmsd can be remotely exploited"
Previous message: Charles-Edouard Ruault: "Re: Identifying Kernel 2.4.x based Linux machines using UDP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 23:20:25 PST