Bugtraq mailing list archives
Cobalt RaQ2 - a user of mine changed my admin password..
From: chuck () OA NET (Chuck Pitre - Technical Support)
Date: Thu, 27 Jan 2000 17:29:56 -0700
Needles to say that was scary :) anyhow I rather feel embarrassed about this one (actually I can't believe I didn't think of it myself) I've pasted his email to me below. I have not yet attempted to duplicate the bug. -- snip snip -- To replicate this bug you must have Site Administrator access to one of the accounts on the server. When you go into the Site Management for a site and select the User Management option, you get a list of the usernames that have been setup for that account. The green pencil edit icon is a command to execute the JavaScript function modify() and it passes the username as the only variable into the function. To properly execute a function from the Location Bar in Netscape, the HTML page has to be the top frame. I simply opened the userList.html file in a new frame. When you type "javascript: modify( 'admin' );" into the Location Bar, the modify() function returns a URL. The URL returned when accessing it from my site is "http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?userna me=admin&group=site151&949015199230". This loads a standard Modify User page for the "admin" account. However, when you attempt to change this information by clicking the "Confirm Modify" button, it returns a JavaScript error because the function that it calls upon is dependant on the frame layout of the Site Management page. To overcome this issue I simply downloaded two HTML files to my hard disk. One is the index.html file, other other is the right.html file. I basically changed the index.html file to call upon the URL's on my site and had it load the right.html file locally off my hard disk. I then changed the right.html file to load the URL's on my site but changed the "main" frame source to "http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?userna me=admin&group=site151&949015199230" - the Modify User page for the "admin" account. It then loads up with all the correct frames AND the Modify User page for the "admin" account. I very simply just enter a new password for the user and click "Confirm Modify" and presto! The admin password is changed allowing me access to the Server Management page showing all the server's clients, IP addresses, domain names, and ability to access all the client's contact people, telephone numbers, usernames, and passwords. I also could delete any sites/files or downloaded any sites/files. I then had full access via FTP to the site showing the root directory of the server, and the ability to delete any evidence via the /log/ directory. I hope this answers any of the questions you had, and the whole process took me under 5 minutes! -- snip snip -- the users email address is skirkham () telusplanet net if you have any questions about it... ----->One Connection, A Million Places To Go<----- Chuck Pitre OA Group of Technologies, Internet Division Network Operations (780) 425-5151 ext 556 telephone (780) 425-3852 fax 1-888-663-1336 Toll Free
Current thread:
- Re: S/Key & OPIE Database Vulnerability, (continued)
- Re: S/Key & OPIE Database Vulnerability Mudge (Jan 25)
- Re: S/Key & OPIE Database Vulnerability Steve VanDevender (Jan 26)
- Future of s/key (Re: S/Key & OPIE Database Vulnerability) Frasnelli, Dan (Jan 26)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Jordan Ritter (Jan 28)
- "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Jan 29)
- Re: S/Key & OPIE Database Vulnerability Brandon Palmer (Jan 27)
- Re: S/Key & OPIE Database Vulnerability Eivind Eklund (Jan 28)
- Multicast from hell John Watkins (Jan 27)
- Cobalt RaQ2 - a user of mine changed my admin password.. Chuck Pitre - Technical Support (Jan 27)
- Re: Cobalt RaQ2 - and QUBE2 Nir Simionovich (Rin Solo) (Jan 29)
- Tempfile vulnerabilities foo (Jan 30)
- [FreeBSD Security Advisory: FreeBSD-SA-00:02.procfs] Patrick Oonk (Jan 28)
- Re: Multicast from hell Omachonu Ogali (Jan 28)
- FTPPro has weird features - Fwd: Important matter for your abuse department Cedric Amand (Jan 28)
- New SCO patches... Aaron Sigel (Jan 27)
- Qpopper security bug Zhodiac (Jan 26)
- Re: S/Key & OPIE Database Vulnerability Dug Song (Jan 26)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Jan 26)
- Alert: MS IIS 4 / IS 2 (Cerberus Security Advisory CISADV000126) Mnemonix (Jan 26)