[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] userList.php possible exploit
- Subject: RE: [cobalt-users] userList.php possible exploit
- From: Gerald Waugh <gwaugh@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon May 5 07:49:01 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 5 May 2003, H.P. Noordam wrote:
> On Mon, 5 May 2003, Tom Honec wrote:
> >
> > I would like to bring to your attention a recent exploit which we found
> > on some Cobalt RaQ 550s. I would like your assistance in verifying this
> > possible exploit.
> >
> > Possible Exploit:
> > An authenicated Site Administrator is able to view all users on the
> > local system.
> >
> > Steps to Duplicate:
> > 1. Create a site on the RaQ 550
> > 2. Assign a user with Site Administrator privledge
> > 3. Access the following URL:
> > http://www.domain.com:81/base/user/userList.php?group=
> > 4. Login with the newly created Site Administrator account
> > 5. You should see all users on the server
> >
> > My question to User Group, is has this been corrected by Sun, can it be
> > duplicated?
> >
>
> YES , i can duplicate it. chanching port 81 in your ULR to 444 (the default
> admin port, i can login as ANY site admin, and view the entire list !!
>
> bad bad bad
>
Yes, using 444 instead of 81, I get in, but it is only the users for
that siteadmin that I see, He would have that information anyway.
Gerald
--
http://frontstreetnetworks.com | http://store.raqware.com
Front Street Networks LLC, 229 Front Street, Ste.#C
New Haven, CT 06513-3203 | phone: +1-203-785-0699