[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] userList.php possible exploit
- Subject: RE: [cobalt-users] userList.php possible exploit
- From: "H.P. Noordam" <bno@xxxxxxxxx>
- Date: Mon May 5 08:06:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 5 May 2003, H.P. Noordam wrote:
> On Mon, 5 May 2003, Tom Honec wrote:
> >
> > I would like to bring to your attention a recent exploit which we found
> > on some Cobalt RaQ 550s. I would like your assistance in verifying this
> > possible exploit.
> >
> > Possible Exploit:
> > An authenicated Site Administrator is able to view all users on the
> > local system.
> >
> > Steps to Duplicate:
> > 1. Create a site on the RaQ 550
> > 2. Assign a user with Site Administrator privledge
> > 3. Access the following URL:
> > http://www.domain.com:81/base/user/userList.php?group=
> > 4. Login with the newly created Site Administrator account
> > 5. You should see all users on the server
> >
> > My question to User Group, is has this been corrected by Sun, can it be
> > duplicated?
> >
>
> YES , i can duplicate it. chanching port 81 in your ULR to 444 (the
default
> admin port, i can login as ANY site admin, and view the entire list !!
>
> bad bad bad
>
[G] Yes, using 444 instead of 81, I get in, but it is only the users for
[G] that siteadmin that I see, He would have that information anyway.
Funny, i see all users, from all sites. The key seems to be the acceptance
of the missing group numer at the end of the url by the script.
the attached link shows a jpeg with multiple site admins. On the system,
there is only one site admin for each hosted domain, so you are looking at
users from about 10 different domains here. I can edit them too.
proof/picture: http://www.depopo.net/~depopo/raq-leak.jpg