[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities

Subject: Re: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities
From: "Mike Fritsch" <mfritsch@xxxxxxxxxxxx>
Date: Sat Feb 24 08:46:42 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I did not find any references to 'the sample ASP file in your httpd.conf' .
Does anyone know what specific code they are talking about?

Mike
----- Original Message -----
From: "John Cordeiro" <jcordeiro@xxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Wednesday, February 21, 2001 2:31 PM
Subject: RE: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities


> Wow I just shut off my Chilisoft also I checked the url against my domain
> server and BAM Password clear as Day. Could they make this any easier!
>
> John Corderio
>
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of GPS
> Sent: Wednesday, February 21, 2001 4:47 PM
> To: Cobalt-Users@Cobalt. Com
> Subject: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities
> Importance: High
>
>
> Well here's another one just posted to BugTraq:
>
> I tried the first Example on a Raq4 after starting the ChiliSoft ASP
server.
>
>
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service
> .pwd
>
> ChiliSoft very politely returns the servers ADMIN and encrypted password
to
> the browser.
> The ChiliSoft Server Admin Password is the same as the Servers Main Admin
> aka Root.
> I don't care to test the other vunerabilities...ChiliSoft is now gone.
> If anyone finds that any of this is really not applicable to the Raq4's
> please advise nicely...
> no need to flame.
>
>
> The advisory author states that he advised the vendor (that would be
Cobalt)
> on December 30, 2000.
> I don't see any ChiliSoft Security updates on the Cobalt site.
>
>
>
> Here's the complete advisory:
>
============================================================================
> ======
> Author:   Stan Bubrouski (stan@xxxxxxxxxxx)
> Date:   February 20, 2001
> Package:  Chili!Soft ASP
> Versions affected:  3.5.2 and possibly previous versions.
> Severity:  (1) A remote user could potentially view sensative information
> and
>               take remote control of the server.  (2) The installer
installs
>               a default username and password for the adminstrative
console
>               if auto-detect of settings is used.  (3) There are also
> several
>               serious file permissions problems.
>
> Problems:
>
> (1) Chili!Soft ASP ships with samples scripts which are located in
>     /opt/casp/caspsamp by default and are installed on webservers by
default
>     accessable via http://<server>/caspsamp/ A sample script named
>     codebrws.asp prolly taken from IIS/4.0 originally is vulnerable to a
>     "../" attack allowing sensative information to be revieled to remote
>     users.  During brief testing I was only able to get the script to read
>     files on directory above the caspsamp directory which is the /opt/casp
>     directory by default.  This directory contains database
>     usernames/passwords, the server logs, and the username/password to
>     administration console.  With the password to the administrative
console
>     a remote user with web access can remotely manage the server thus
>     openning endless possibilies since the console runs as root.
>
>     It appears they attempted to prevent people from viewing files outside
>     the samples directory because when I tried with an url not containing
>     /caspsamp/ at the begining it would fail and warn me that I'm not
> allowed
>     to view files outside the samples directory.
>
> (2) The installer program installs a default username and password for
>     adminstration console which is remotely accessable via the web.  The
>     username/password are stored in the file /opt/admin/conf/service.pwd
>     which is probably the only file installed with the correct permissions
>     (in this case mode 600).
>
> (3) There are several files installed mode 666 which is a serious no-no as
>     some logs and configuration files are affected by this. On my system
the
>     following files were installed mode 666:
>
> /opt/casp/logs/install_summary
> /opt/casp/logs/install
> /opt/casp/logs/register
> /opt/casp/logs/server-3000
> /opt/casp/logs/component
> /opt/casp/caspsamp/401K/database/QEDBF.INI
> /opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
> /opt/casp/caspsamp/friendship/client/database/QEDBF.INI
> /opt/casp/caspsamp/QEDBF.INI
> /opt/casp/chilicom/lib/hkey.current.user
> /opt/casp/chilicom/lib/hkey.local.machine
> /opt/casp/INSTALL/.webserver-cache
> /opt/casp/.installed_db
> /opt/casp/admin/conf/hkey.current.user
> /opt/casp/admin/conf/hkey.local.machine
> /opt/casp/admin/logs/server
>
>     This may seem bad it gets worse.  Most of the files dealing with
>     databases such as global_odbc.ini and odbc.ini are all world-readable
> and
>     thus by default expose passwords administrators may lator install to
>     local users.  All configuration files for the server and subsequent
> other
>     services offered Chili!Soft ASP are also world-readable exposing even
>     more useful information to local users.
>
> Examples:
>
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service
> .pwd
> http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
>
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
> http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
> http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000
>
> Solution: Remove all references to the sample ASP file in your httpd.conf
> and
> replace the default admin account.  Then change file permissions in
> /opt/casp
> as your system security dictates (in other words figure it out for
yourself)
>
> Vendor Status: Vendor was e-mailed these problems on December 30, 2000.
>
> Copyright ©2001 Stan Bubrouski
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users

Follow-Ups:
- Re: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities
  - From: baltimoremd

References:
- RE: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities
  - From: John Cordeiro

Prev by Date: Re: SV: [cobalt-users] [raq3] Bind 9.1.0
Next by Date: [cobalt-users] SSL Question.
Previous by thread: Re: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities
Next by thread: Re: [cobalt-users] Chili!Soft ASP Multiple Vulnerabilities

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index