Password file, yawn. Shadow password file, that would be a much bigger deal... On Nov 5, 2011 11:46 AM, <[email protected]> wrote:
> On Sat, 05 Nov 2011 18:58:20 BST, =?ISO-8859-1?Q?Buher=E1tor?= said: > > > "Oracle NoSQL Database is intended to be installed in a secure > > location where physical and network access to the store is restricted > > to trusted users. > > Which any savvy sysadmin knows really means "It's your problem to set > up iptables to restrict this sucker..." > > And of course, *that* usually means "avoid this product like the plague" ;) > > > $ curl -v > http://127.0.0.1:5001/kvadminui/LogDownloadService?log=../../../../../../../../../../../../../../../etc/passwd > > OK as far as it goes. But take it a step further. Does the > LogDownloadService > process do any sanity checking and only let you download world-readable > files? > If so, it's quite the yawner of an "exploit". > > Or does it let you snarf up /etc/shadow, or other ways to get a system > privilege escalation. Remember - you could have users trusted with the > data in > the database, but not other content on the system. A *lot* of shops have > policy > where the DBAs do *not* have the root password - can you use this to bypass > that policy? Can you get it to cough up a file containing the database > config > or access passwords? Can you get it to cough up the logfile where it logs > the > fact you accessed it (and can you abuse that into an infinite loop filling > the > log space?) What other creative failure modes can you come up with for > this > "fee-chur"? :) > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
