Advisory for Easy File Sharing web server 1.2... --- ------------------------------------------------------------------ Easy File Sharing Web Server 1.2 ------------------------------------------------------------------ -= by Dr_insane (dr_insane@pathfinder.gr) =- Product: -------- Easy File Sharing Web Server 1.2 Vunerability(s): ---------------- 1.Directory Traversal Bugs 2.XSS vulnerabilities 3.HTML Injection 4.Passwords in clear text Description of product: ----------------------- Easy File Sharing Web Server is a file sharing system that allows visitors to upload/download files easily through a Web Browser (IE, Netscape, Opera etc.). It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (BBS, Forum). It allows remote users to post messages and files to the forum. VUNERABILITY / EXPLOIT ====================== There is multiple vulnerabilities in Postnuke Easy File Sharing Web Server 1.2 as described below. 1.Directory traversing Easy File Sharing Web Server have a Directory Traversal Vulnerability Using the string '../' in a URL, an attacker can gain read access to any file outside of the intended web-published filesystem directory. There is not much to expand on this one.... Example: http://127.0.0.1/../../../autoexec.bat to show autoexec.bat http://127.0.0.1/.../.../.../program files/Easy File Sharing Web Server/users.sdb get the server password file Also: http://127.0.0.1/msg.ghp?forumid=4&id=/../../../../../../../../windows/win.ini http://127.0.0.1/msg.ghp?forumid=/../../../../../../../../windows/win.ini etc etc etc 2.XSS vulnerabilities A vulnerability exists in the Easy File Sharing Web Server that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host. The vulnerable urls are: http://127.0.0.1/newmsg.ghp?forumid=1 Insert Evil javascript code in "Your message field" The following URL will demonstrate the attack: Some browsers submit the malicious host header when parsing this request: Host: ex. if we supply this code: we will get: TEMPLATE:standard;LANG=english; TOKEN:121234122; TOKEN_1=34123123; SHOW_FEATURES=0; db_pass; db_user; SESSIONID=1172; UsserID:dr_insane; PassWD=passtest1111 It is possbile for someone to get the username and the password.In our example The username is:dr_insane and the password: passtest1111 3.HTML Injection Any user can inject html code when create a new post. The bug is in the post icon : <img src="icon.gif" etc.> If you create a personalized form with this code: icon.gif"> <script>alert('bug');<script><anytag=" the final code of the post icon is : <imgsrc="icon.gif"><script>alert('bug');<script><anytag="" etc.> 4.Passwords in clear text A vulnerability has been identified in Enceladus Server suite allowing malicious, local users to see usernames and passwords. The problem is that usernames and passwords for the server are stored in clear text in the folder "users.sdb". Local: ------ Yes Remote: ------- We can 0wn the server via remote! Credits: -------- Dr_insane dr_insane@pathfinder.gr , dr_insane@hack.gr Http://members.lycos.co.uk/r34ct/ ---------------------------- Dr_Insane members.lycos.co.uk/r34ct/ ---------------------------- ______________________________________________________________________________________ http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! http://www.pathfinder.gr - Δωρεάν mail από τον Pathfinder!