Breaking Cobalt's RaQ2 password CGI
----------------------------------------------------------------------------
----
SUMMARY
Security vulnerability in Cobalt's RaQ2 User Management CGI
(siteUserMod.cgi) allows remote attackers to change any user's password
including that of other administrators without the need for administration
privileges.
DETAILS
Exploit:
To replicate this bug you must have Site Administrator access to one of
the accounts on the server. When you go into the Site Management for a
site and select the User Management option, you get a list of the
usernames that have been setup for that account.
The green pencil edit icon is a command to execute the JavaScript function
modify() and it passes the username as the only variable into the
function. To properly execute a function from the Location Bar in
Netscape, the HTML page has to be the top frame.
Then you only need to open the userList.html file in a new frame. When
you type "javascript: modify( 'admin' );" into the Location Bar, the
modify() function returns a URL.
The URL returned is something like:
http://yoursite:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?username=admi
n&group=site151&949015199230
(NOTE: URL might be wrapped, and it contains a token, that cannot be
reused)
This loads a standard Modify User page for the "admin" account. However,
when you attempt to change its information by clicking the "Confirm
Modify" button, it returns a JavaScript error because the function that it
calls upon is dependant on the frame layout of the Site Management page.
To overcome this, you can simply download the two HTML files to your hard
disk. One is the index.html file; the other is the right.html file. Now
just change the index.html file to call upon the URL of the remote site
and the URL of the local right.html file.
Then change the right.html file to load the URL that was previously
discovered:
http://yoursite:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?username=admi
n&group=site151&949015199230
(This will cause it to load up the "Modify User" page for the "admin"
account).
After you have clicked on the link it will load up with all the correct
frames and the "Modify User" page for the "admin" account. Now you can
enter a new password for the "admin" user and click "Confirm Modify"
causing the admin password to change.
Gaining administrative privileges allows access to the Server Management
page that shows all the server's clients, IP addresses, domain names, and
ability to access all the client's contact people, telephone numbers,
usernames, and passwords. You can also delete any sites/files or download
any sites/files. This username and password (the administrator's) also
allows full access via FTP to the site showing the root directory of the
server, and the to /log/ directory allowing you to delete any evidence
that might be stored there.
-------
AFLHI 058009990407128029/089802---(102598//991024)
http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX ::
http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
