[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] userList.php possible exploit
- Subject: Re: [cobalt-users] userList.php possible exploit
- From: Anders <andersb@xxxxxxxxxxx>
- Date: Mon May 5 08:09:25 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
>> Possible Exploit:
>> An authenicated Site Administrator is able to view all users on the
>> local system.
>>
>> Steps to Duplicate:
>> 1. Create a site on the RaQ 550
>> 2. Assign a user with Site Administrator privledge
>> 3. Access the following URL:
>> http://www.domain.com:81/base/user/userList.php?group=
>> 4. Login with the newly created Site Administrator account
>> 5. You should see all users on the server
>>
>> My question to User Group, is has this been corrected by Sun, can it be
>> duplicated?
>
> YES , i can duplicate it. chanching port 81 in your ULR to 444 (the default
> admin port, i can login as ANY site admin, and view the entire list !!
>
> bad bad bad
The ports used on the 550 are: (somewhat backwards)
https://www.domain.com:81/base/user/userList.php?group=
http://www.domain.com:444/base/user/userList.php?group=
Two additions:
1) It doesn't have to be a site admin, any user will do
2) This bug affects every page/listing in the 550 GUI!
It was reported on the Sun Support forums, back in Dec 2002.
Solution is to patch the PHP code with authentication checks.
--anders
PS. Note that it is "only" viewing, modifying gives errors.