Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Stupid bug in W3-msql

From: veille () NEUROCOM COM (gregory duchemin)
Date: Tue, 17 Aug 1999 17:13:48 -0000

hi,

there is a really stupid bug in w3-msql cgi-bin developped 
by Hughes Technology: http://www.Hughes.com.au
This bug is a bit old but seams to be always actual in the 
last release of this software: mini-sql v 2.0.10.1

It's very simple to exploit the flaw; An intruder is able to 
look at everything on a remote web server even if the 
directory is ".htaccess protected". (eg apache)

the first way to do it:

http://www.victim.org/cgi-bin/w3-msql/protected-directory/pr
ivate-file
note: in this case, the intruder 'll have to already know th 
structure of the directory

the second way:

http://www.victim.org/cgi-bin/w3-msql/protected-directory/.h
tpasswd
in this way, intruder 'll get all DES encrypted password for 
authorized users in plain text and so will be able to crack 
any account (eg Crack 5.0 alex muphett)

Solution:

First: there is no private directory in your site, ok...in 
this case, u don't matter with this bug

Otherwise, don't put your .htpasswd files under apache root
(change your link in .htaccess)
and contact quickly Hughes Technology.

have a nice day

Gregory Duchemin
(security engineer)

Neurocom
179-181 Av Charles De Gaulle
92200 Neuilly Sur Seine
Previous By Date Next
Previous By Thread Next

Current thread: