Bugtraq mailing list archives
Re: Vulnerabilities in Informix Webdriver
From: Joel Michael <joel () DIGGY COM AU>
Date: Thu, 4 Jan 2001 23:57:12 +1000
On 30 Dec 2000 08:34:53 +0800, isno wrote:
Webdriver is the web interface of Informix database,I found it is vulnerable.In the common condition,webdriver is submitted with a parameter,but if you type http://victim/cgi-bin/webdriver directly, It will return a webpage which you can modify or delete database on it.
When no parameters are passed, the webdriver uses the defaults found in the web configuration, which is stored within the 'webconfigs' table in v4 web blade installations, and in the web.cnf file in v3 web blade installations. Which default MIval did you set as the default? By default, the MIval is set to /default.html, and this page does not even exist within the database when the web blade is first installed, hence will give you a 404. If you could explain a bit more of the 'vulnerable' setup, like which platform both the web server and database server is on, which versions of Informix engine and web datablade you're using, and anything else that's relevant, it would be a great help to me.
Otherwise, webdriver will make a /tmp/.log file,its attribute is -rw-rw-rw,we can make a symlink and get the nobody privilege,although without root privilege,we can deface the website as nobody.
In the version of webdriver I'm using on my live servers (4.10.UC1), you specify the location of the log file in the web.cnf using the debug_file parameter in the <global> section of the config. The CGI webdriver will write to the specified log file as the user/group that the web server is configured to run CGI as, and writes the file with permissions -rw-r--r--. If the webdriver is server-based, it seem as though it writes as the user the web server was started as (at least with apache, on my systems it is root/other). Also, there is no way to alter the web pages unless the AppPage editor has been installed into the database, and that the target site uses AppPage editor to edit their site, not DDW, which does not use the same source table for the html. Without diving into manuals which I don't have handy at the moment, I also seem to recall that you need to authenticate against the wbusers or webusers table, and have the appropriate page levels set for the user. -- Joel Michael Systems Administrator Diggy Internet Services
Current thread:
- Vulnerabilities in Informix Webdriver isno (Jan 02)
- Re: Vulnerabilities in Informix Webdriver Joshua R. Poulson (Jan 03)
- Re: Vulnerabilities in Informix Webdriver John Wright (Jan 04)
- Re: Vulnerabilities in Informix Webdriver Joel Michael (Jan 04)
- <Possible follow-ups>
- Re: Vulnerabilities in Informix Webdriver isno (Jan 05)
- Re: Vulnerabilities in Informix Webdriver Joshua R. Poulson (Jan 03)