infradig_1225_5-3-00.txt

`+++>===] Written by Nemesystm, leader of the DHC [===<+++  
++++>==] Visit us at dhc1.cjb.net You want 2 [==<++++  
  
Subject: Infradig 1.225 Security Hole  
Description program: Infradig is a HTTP Server with a Mail daemon, etc.  
Description hole: There are no restrictions on the online administration bit of the server software.  
  
<-[what was used]->  
Infradig 1.225 for Windows 95/98 downloaded from cnet.com  
Installed with the typical installation, no standard settings changed.  
This problem worked on: Windows 98 + IE5.0  
  
<-[how to create the problem]->  
The administration service runs on port 81 (as adefault, can be set). Connecting to: http://www.server.com:81/sysadmin/sysadmin.cgi will let you edit accounts, add users, set all kinds of things like ports, and start services. (FTP, etc)  
On the HTTP server, you can go to http://www.server.com/sysadmin/ and it will/should automatically refer you to the administration service.  
  
<-[logs]->  
when you go to the administration page, your IP is logged. you can find the logs in programdir\logs.  
It also has what you do, and what browser you used.  
  
<-[fix]->  
Delete: program dir\inetpub\sysadmin\*.*  
program dir\inetpub\mailadmin\*.*  
Change all user things, etc, by rightclicking the server icon in the bottom right corner of the screen and choosing "Manual configure"  
  
Greetz,  
nemesystm, leader of the DHC (dhc1.cjb.net)  
  
>>>The End<<<  
[email protected] for questions.`