Apache Today [Your Apache News Source]
Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
To internet.com

Apache HTTPD Links
ApacheCon
The Java Apache Project
The Apache Software Foundation
The Jakarta Project
Apache XML Project
Apache-Perl Integration Project
Apache Project
PHP Server Side Scripting
Apache-Related Projects
The Apache FAQ
Apache Module Registry

  internet.com

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertising Info
Corporate Info
BugTraq: Advisory: Chili!Soft ASP Multiple Vulnerabilities
Feb 21, 2001, 18 :09 UTC (3 Talkback[s]) (643 reads)

Date: Tue, 20 Feb 2001 22:35:43 +0000
From: Stan Bubrouski
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Advisory: Chili!Soft ASP Multiple Vulnerabilities

Author:   Stan Bubrouski (stan@ccs.neu.edu)
Date:   February 20, 2001
Package:  Chili!Soft ASP
Versions affected:  3.5.2 and possibly previous versions.
Severity:  (1) A remote user could potentially view sensative information and
              take remote control of the server.  (2) The installer installs
              a default username and password for the adminstrative console
              if auto-detect of settings is used.  (3) There are also several
              serious file permissions problems.

Problems:

(1) Chili!Soft ASP ships with samples scripts which are located in
    /opt/casp/caspsamp by default and are installed on webservers by default
    accessable via http://<server>/caspsamp/ A sample script named
    codebrws.asp prolly taken from IIS/4.0 originally is vulnerable to a
    "../" attack allowing sensative information to be revieled to remote
    users.  During brief testing I was only able to get the script to read
    files on directory above the caspsamp directory which is the /opt/casp
    directory by default.  This directory contains database
    usernames/passwords, the server logs, and the username/password to
    administration console.  With the password to the administrative console
    a remote user with web access can remotely manage the server thus
    openning endless possibilies since the console runs as root.

    It appears they attempted to prevent people from viewing files outside
    the samples directory because when I tried with an url not containing
    /caspsamp/ at the begining it would fail and warn me that I'm not allowed
    to view files outside the samples directory.

(2) The installer program installs a default username and password for
    adminstration console which is remotely accessable via the web.  The
    username/password are stored in the file /opt/admin/conf/service.pwd
    which is probably the only file installed with the correct permissions
    (in this case mode 600).

(3) There are several files installed mode 666 which is a serious no-no as
    some logs and configuration files are affected by this. On my system the
    following files were installed mode 666:

/opt/casp/logs/install_summary
/opt/casp/logs/install
/opt/casp/logs/register
/opt/casp/logs/server-3000
/opt/casp/logs/component
/opt/casp/caspsamp/401K/database/QEDBF.INI
/opt/casp/caspsamp/friendship/agent/database/QEDBF.INI
/opt/casp/caspsamp/friendship/client/database/QEDBF.INI
/opt/casp/caspsamp/QEDBF.INI
/opt/casp/chilicom/lib/hkey.current.user
/opt/casp/chilicom/lib/hkey.local.machine
/opt/casp/INSTALL/.webserver-cache
/opt/casp/.installed_db
/opt/casp/admin/conf/hkey.current.user
/opt/casp/admin/conf/hkey.local.machine
/opt/casp/admin/logs/server

    This may seem bad it gets worse.  Most of the files dealing with
    databases such as global_odbc.ini and odbc.ini are all world-readable and
    thus by default expose passwords administrators may lator install to
    local users.  All configuration files for the server and subsequent other
    services offered Chili!Soft ASP are also world-readable exposing even
    more useful information to local users.

Examples:
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../global_odbc.ini
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../admin/logs/server
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../LICENSE.LIC
http://<server>/caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000

Solution: Remove all references to the sample ASP file in your httpd.conf and
replace the default admin account.  Then change file permissions in /opt/casp
as your system security dictates (in other words figure it out for yourself)

Vendor Status: Vendor was e-mailed these problems on December 30, 2000.

Copyright 2001 Stan Bubrouski

  Current Newswire:
Apache Software Foundation and Camelot Communications take ApacheCon to Dublin, Ireland

Intelligent Enterprise: Untangling the Web

SecurityPortal: Ask Buffy - Apache Proxy Request

SECURITY: Apache 1.3 Security Fix Available for Win32/OS2 users

Covalent Technologies Named to Upside Magazine's Hot 100

PR: New Max Server Pages Is Free Server-Side Web Scripting Xbase Option for Apache

Using Macromedia UltraDev with PostgreSQL, Tomcat and Apache

NewbieNetwork: Using Aggregate Functions and Operators in PostgreSQL

ZDNet: PHP and Zend

PHP DevCenter: Common PHP Installation Problems

 Talkback(s) Name  Date
Jeffy - Major problem?????? ...   Chili!Soft   
  Feb 22, 2001, 07:50:53
I have been having problems with ChiliASP since the very beginning. First it was ...   ChiliASP   
  Feb 22, 2001, 10:00:31
There have been various issues related to security brought to the attention of C ...   Advisory: Chili!Soft ASP Multiple Vulnerabilities   
  Feb 24, 2001, 17:36:29
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Newsletters Media Kit Security Triggers Login


internet.com
Privacy Policy
All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.2.12, Apache 1.3.9. and PHP 3.14
© Copyright 2000, internet.com Corp. All Rights Reserved.Legal Notices.