[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] userList.php possible exploit
- Subject: RE: [cobalt-users] userList.php possible exploit
- From: "abhi@xxxxxxxxxxxxxxx" <abhi@xxxxxxxxxxxxxxx>
- Date: Tue May 6 00:03:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Yes ! I can also see the complete list of users without entering the admin
user id and password, any siteadmin user can see the complete list of users
on the server.
This needs to be reported to SUN !
Abhinav
Original Message:
-----------------
From: H.P. Noordam bno@xxxxxxxxx
Date: Mon, 5 May 2003 16:40:40 +0100
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] userList.php possible exploit
On Mon, 5 May 2003, Tom Honec wrote:
>
> I would like to bring to your attention a recent exploit which we found
> on some Cobalt RaQ 550s. I would like your assistance in verifying this
> possible exploit.
>
> Possible Exploit:
> An authenicated Site Administrator is able to view all users on the
> local system.
>
> Steps to Duplicate:
> 1. Create a site on the RaQ 550
> 2. Assign a user with Site Administrator privledge
> 3. Access the following URL:
> http://www.domain.com:81/base/user/userList.php?group=
> 4. Login with the newly created Site Administrator account
> 5. You should see all users on the server
>
> My question to User Group, is has this been corrected by Sun, can it be
> duplicated?
>
YES , i can duplicate it. chanching port 81 in your ULR to 444 (the default
admin port, i can login as ANY site admin, and view the entire list !!
bad bad bad
Bob.
_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .