[6934] in bugtraq
Sambar Server Beta BUG..
daemon@ATHENA.MIT.EDU (Michiel de Weerd)
Wed Jun 10 15:13:09 1998
Date: Wed, 10 Jun 1998 18:12:57 +0200
Reply-To: Michiel de Weerd <webmaster@FOCUS.DEMON.NL>
From: Michiel de Weerd <webmaster@FOCUS.DEMON.NL>
X-To: tod@sambar.com
To: BUGTRAQ@NETSPACE.ORG
Sambar Server Beta's have a serious bug! it is possible to view the
victim's HDD.
This is how it's done:
Asume you find a computer running Sambar Server by searching the
Internet with these key-words: +sambar +server +v4.1
If you find a site like: http://www.site.net/
then do a test, run a little perl script...
http://www.site.net/cgi-bin/dumpenv.pl
Now you see the complete environment of the victims computer, including
his path. Now you can try to login as the administrator by adding this
to the url: /session/adminlogin?RCpage=/sysadmin/index.stm
so: http://www.site.net/session/adminlogin?RCpage=/sysadmin/index.stm
The default login is: admin and the default password is blank.
If the victim hasn't changed his settings, you now can control his
server.
Another feature is to view the victims HDD. If you were able to run the
perl script you should also be able (in most cases) to view directory's
from his path. Most people have c:/program files and c:/windows in the
path line, so what you can do is:
http://www.site.net/c:/program files/sambar41
FIX:
1) Upgrade to a non-beta version of Sambar Server.
2) Don't alow directory browsing if index.html or default.html isn't
found.
3) Change the admin username and password before someone else changes it
for you.
CC to Tod Sambar - http://www.sambar.com
