SWS Vuln (small but important to those using it.)

From: BrainRawt . (brainrawtat_private)
Date: Thu Apr 11 2002 - 19:07:54 PDT

Next message: Manuel Bouyer: "Re: local root compromise in openbsd 3.0 and below"

Previous message: Jonas Eriksson: "OpenBSD 3.0: Bug in rshd(8) and rexecd(8) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--------------------------------------------------------------------
Dear Bugtraq Readers,

I wasn't sure if this advisory deserved space on the bugtraq mailing
list but as a friend of mine helped me to remember.  "All security flaws are 
important no matter what their size". I guess ill go ahead,
hit send and let you decide.

-BrainRawt
--------------------------------------------------------------------

SWS (StepWeb Search Engine) Administrative Access Vulnerability
Disovered By BrainRawt.

Vulnerable: SWS 2.5 (free version) and possibly others. SWS Gold
            maybe?

About SWS:
----------------
SWS is a search engine downloadable at www.stepweb.com, that can
find one or more words in a flat file database where URLs have been
and then prints the results to the screen in an html format.

Vendor Contact:
----------------
4-01-02 - An email was sent to stepweb.com discussing this issue.

          No Reply Yet!!!

Vulnerability:
----------------
SWS comes with an administration page that allows one to add/del
addresses to/from the database and allows one to view the log file
that stores all searched items.  This page is known as admin.html
can normally be found in the same dir as the search engine itself. This page 
is directed to a password protected cgi script known as manager.pl.  Not 
only does the admin.html point to the manager.pl,
but it also stores the password in the html links as shown below.

http://www.mysite.com/cgi-bin/sws/manager.pl?add&pass=PassWord
http://www.mysite.com/cgi-bin/sws/manager.pl?del&pass=PassWord
http://www.mysite.com/cgi-bin/sws/manager.pl?log&pass=PassWord

Exploit:
----------------
If one was to find the location of the "admin.html" file, that person
could easily add addresses to the search database or view the log file
that stores all searches made by users of the engine.  Deletion of
addresses can not be made, for they are individually password protected and 
passwords are stored in an unaccessable .dat file.

EXAMPLE: http://www.mysite.com/sws/admin.html and click the links. The
hardcoded links will do the rest.  SHEESH!!!!

Fix:
---------------
NONE AT THE TIME OF THIS WRITING!

My advice is to place the admin.html in a directory protected by .htaccess 
or rewrite the html so that the user must input the password instead of 
click on it.  :)

--------------------------------------------------------------------



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

Next message: Manuel Bouyer: "Re: local root compromise in openbsd 3.0 and below"
Previous message: Jonas Eriksson: "OpenBSD 3.0: Bug in rshd(8) and rexecd(8) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 11:31:55 PDT