Vulners
Lucene search
Owl_Intranet_Engine.txt
🗓️ 15 May 2003 00:00:00Reported by Christopher M DownsType 
packetstorm🔗 packetstormsecurity.com👁 29 Views
`--------------------------------------------------
Owl Intranet Engine - File Disclosure Vulnerabilty
--------------------------------------------------
Date:
5-12-03
Advisory Url:
http://sec.angrypacket.com/advisories.phtml
Vendor Home Page:
http://owl.sourceforge.net/
Vendor Project Page:
http://sourceforge.net/projects/owl
Version Information:
Owl 0.71
Application Information:
Owl is a multi user document repository (knowledgebase) system written in PHP4 for publishing of files/documents onto the web for a corporation, small buisness, group of people, or just for yourself.
Extra Information:
Owl is written in PHP4 and stores its data in a MySQL database.
Vulnerabilty Information:
By passing a url string with a bogus username you may view the contents within the OWL interface. Using this technique you may bypass user authentication and a valid session ID.
Within the php source to Owl there is a browse.php script which calls its library ( lib/owl.lib.php ). this php library does not check valid user and pass at this point.
Code Snippet:
intranet/lib/owl.lib.php
------------------- snip ------------------
function verify_login($username, $password) {
global $default;
$sql = new Owl_DB;
$sql->query("select * from $default->owl_users_table where username = '$username' and passw
ord = '" . md5($password) . "'");
$numrows = $sql->num_rows($sql);
// Bozz Begin added Password Encryption above, but for now
// I will allow admin to use non crypted password untile he
// upgrades all users
if ($numrows == "1") {
while($sql->next_record()) {
if ( $sql->f("disabled") == 1 )
$verified["bit"] = 2;
else
$verified["bit"] = 1;
$verified["user"] = $sql->f("username");
$verified["uid"] = $sql->f("id");
$verified["group"] = $sql->f("groupid");
$maxsessions = $sql->f("maxsessions") + 1;
}
}
// Remove this else in a future version
else {
if ($username == "admin") {
$sql->query("select * from $default->owl_users_table where username = '$username' and password = '$password'");
------------------- snip ------------------
Exploit Sample:
http://www.someplace.com/intranet/browse.php?loginname=whocares
Credits:
Angrypacket_Security ( you know wh0 you iz ), Methodic ( w0rd up j1gg4h ! ) dont worry you'll be in KC soon too !
Url:
http://www.sec.angrypacket.com
Extra Stuff:
Never underestimate the skillz of a fat man.
~!>D
------------------------------------------
Network Security Engineer
http://www.angrypacket.com
Christopher M Downs,RHCE
[email protected]
char ash[]="\x48\x61\x69\x6C\x20"
"\x74\x6F\x20\x74\x68\x65\x20\x4B"
"\x69\x6E\x67";
-------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 May 2003 00:00Current
7.4High risk
Vulners AI Score7.4