Bugtraq mailing list archives

Re: Piranha password file

From: arkth () TEAM COM PL (arkth)
Date: Fri, 9 Jun 2000 00:05:06 +0200


On Fri, 2 Jun 2000 frostman () SECUREACCESS INTRANETS COM wrote:

Looking at the default install of Piranha on RH 6.2 the password file is world readable and encrypted with standard 
DES. Hence any user with a shell account can download this password file and crack it in turn giving them access to 
the Piranha configuration and probably more. I'm still testing to see what else can be gained. I looked over the 
previous advisories on your site and Red Hat's and this wasn't mentioned.



_________________________________________________________________
Get your own free, private space on the Web at www.intranets.com.


hiehz... we were talking about it on BugzPL a few weeks ago ;> but that's
not all... if you want change the piranha's passwd you can make it using
the form... it's stupid... let's see:

[arkth@localhost logs]$ pwd
/etc/httpd/logs
[arkth@localhost logs]$ ls -l access_log
-rw-r--r--    1 root     root       526471 May 19 20:58 access_log
[arkth@localhost logs]$ grep try1 access_log
127.0.0.1 - piranha [19/May/2000:14:00:48 +0200] "GET
/piranha/secure/passwd.php3?try1=xxx&try2=xxx&passwd=ACCEPT HTTP/1.0" 200
3120
127.0.0.1 - piranha [19/May/2000:14:01:03 +0200] "GET
/piranha/secure/passwd.php3?try1=yyy&try2=yyy&passwd=ACCEPT HTTP/1.0" 200
3120
127.0.0.1 - piranha [19/May/2000:20:58:50 +0200] "GET
/piranha/secure/passwd.php3?try1=arkth&try2=arkth&passwd=ACCEPT
HTTP/1.0" 200 3120
[arkth@localhost logs]$ _

we can see here all passwds ( the last is the valid one ;) in plain
ASCII...:)
[ first change was to: "xxx", second: "yyy", third: "arkth" ]

on redhat access_log is default world readable. i belive on other os'es
too ( but i'm sure not on every ;))

workaroud?
bash# chmod 640 /var/log/httpd/access_log

greetz: BugzPL, #hackingpl...

ar...

--
----------------------------------------------------------
 |   " some people tell me that i need help,            |
 |     some people can fuck off and go to hell... "     |
 |    arkth proudly represents BugzPL mailing list :)   |
 |   mailto: arkth () team com pl, voice: +48 601 081497   |
----------------------------------------------------------

Current thread:

Re: IBM HTTP SERVER / APACHE typo () INFERNO TUSCULUM EDU (Jun 01)
- <Possible follow-ups>
- Re: IBM HTTP SERVER / APACHE H D Moore (Jun 01)
  - Re: IBM HTTP SERVER / APACHE Luke Harless (Jun 01)
  - Security Administration comes to LISA 2000 Cat Okita (Jun 01)
  - Remote DoS attack in RealServer: USSR-2000043 David Cotter (Jun 01)
  - ipx storm Jacek Lipkowski (Jun 02)
  - Microsoft Security Bulletin (MS00-032) Microsoft Product Security (Jun 02)
  - Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Ussr Labs (Aug 02)
    - Piranha password file frostman () SECUREACCESS INTRANETS COM (Jun 02)
    - Re: Piranha password file arkth (Jun 08)
    - Re: Local FreeBSD, Openbsd, NetBSD, DoS Vulnerability Alfred Perlstein (Jun 02)
    - New Allaire Security Zone Bulletins Aleph One (Jun 08)
- Re: IBM HTTP SERVER / APACHE . Hecix (Jun 02)
- Re: IBM HTTP SERVER / APACHE Marc Slemko (Jun 03)