[11409] in bugtraq
Stupid bug in W3-msql
daemon@ATHENA.MIT.EDU (gregory duchemin)
Wed Aug 18 07:12:04 1999
Message-Id: <19990817171348.8576.qmail@securityfocus.com>
Date: Tue, 17 Aug 1999 17:13:48 -0000
Reply-To: gregory duchemin <veille@NEUROCOM.COM>
From: gregory duchemin <veille@NEUROCOM.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
hi,
there is a really stupid bug in w3-msql cgi-bin developped
by Hughes Technology: http://www.Hughes.com.au
This bug is a bit old but seams to be always actual in the
last release of this software: mini-sql v 2.0.10.1
It's very simple to exploit the flaw; An intruder is able to
look at everything on a remote web server even if the
directory is ".htaccess protected". (eg apache)
the first way to do it:
http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr
ivate-file
note: in this case, the intruder 'll have to already know th
structure of the directory
the second way:
http://www.victim.org/cgi-bin/w3-msql/protected-directory/.h
tpasswd
in this way, intruder 'll get all DES encrypted password for
authorized users in plain text and so will be able to crack
any account (eg Crack 5.0 alex muphett)
Solution:
First: there is no private directory in your site, ok...in
this case, u don't matter with this bug
Otherwise, don't put your .htpasswd files under apache root
(change your link in .htaccess)
and contact quickly Hughes Technology.
have a nice day
Gregory Duchemin
(security engineer)
Neurocom
179-181 Av Charles De Gaulle
92200 Neuilly Sur Seine
