[18424] in bugtraq
Re: Vulnerabilities in Informix Webdriver
daemon@ATHENA.MIT.EDU (John Wright)
Thu Jan 4 14:20:37 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010104092543.A6045@dryfish.org>
Date: Thu, 4 Jan 2001 09:25:44 +0000
Reply-To: John Wright <john@dryfish.org>
From: John Wright <john@DRYFISH.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <004d01c075b2$6323c150$e2dc3a9e@pdx.informix.com>; from
jrp@PUN.ORG on Wed, Jan 03, 2001 at 10:24:18AM -0800
I missed the original post so I'm quoting Joshua Poulson instead.
Basically, everything quoted is examples of a default install where no
configuration has been done.
On Wed, Jan 03, 2001 at 10:24:18AM -0800, Joshua R. Poulson wrote:
> > Webdriver is the web interface of Informix database,I found it is
> > vulnerable.In the common condition,webdriver is submitted with a
> > parameter,but if you type http://victim/cgi-bin/webdriver directly,
> > It will return a webpage which you can modify or delete database on
> > it.
The above is a misconfiguration. webdriver has easy to use configuration
and the above is just the default for a particular set of configurations.
With a proper setup the above URL would send you to a 404 Asset not found or
a company home page or whatever.
> The Web DataBlade manuals have a comment about leaving the AppPage
> Builder program running on a production database on page 11-4 of the
> Version 4.0 Administrator's Guide.
>
> "You should not install AppPage Builder (APB) in a Production
> Database, since APB is typically only used during development and
> can pose a security risk if present in a production database."
You can also set a read_level for a configuration and webdriver will check
this against the read_level of an AppPage and will give a 403 Access not
allowed if you do not have access.
> > Otherwise, webdriver will make a /tmp/.log file,its attribute is
> > -rw-rw-rw,we can make a symlink and get the nobody privilege,
> > although without root privilege,we can deface the website as
> > nobody.
>
> The only files created with a .log extension are debug logs. What
> version of the web driver are you using?
Logs can be enabled and disabled and moved and placed in secured locations
on disk.
