5195749 2000-06-14 22:24 /66 rader/ Postmaster Mottagare: Bugtraq (import) <11287> Ärende: Re: Piranha password file ------------------------------------------------------------ Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Sender: arkth@localhost.localdomain MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: <Pine.LNX.4.21.0006082351180.765-100000@localhost.localdomain> Date: Fri, 9 Jun 2000 00:05:06 +0200 Reply-To: arkth <arkth@TEAM.COM.PL> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: arkth <arkth@TEAM.COM.PL> X-To: frostman@SECUREACCESS.INTRANETS.COM To: BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: <20000602192938.23036.cpmta@c000.snv.cp.net> On Fri, 2 Jun 2000 frostman@SECUREACCESS.INTRANETS.COM wrote: > Looking at the default install of Piranha on RH 6.2 the password file is world readable and encrypted with standard DES. Hence any user with a shell account can download this password file and crack it in turn giving them access to the Piranha configuration and probably more. I'm still testing to see what else can be gained. I looked over the previous advisories on your site and Red Hat's and this wasn't mentioned. > > > > _________________________________________________________________ > Get your own free, private space on the Web at www.intranets.com. > hiehz... we were talking about it on BugzPL a few weeks ago ;> but that's not all... if you want change the piranha's passwd you can make it using the form... it's stupid... let's see: [arkth@localhost logs]$ pwd /etc/httpd/logs [arkth@localhost logs]$ ls -l access_log -rw-r--r-- 1 root root 526471 May 19 20:58 access_log [arkth@localhost logs]$ grep try1 access_log 127.0.0.1 - piranha [19/May/2000:14:00:48 +0200] "GET /piranha/secure/passwd.php3?try1=xxx&try2=xxx&passwd=ACCEPT HTTP/1.0" 200 3120 127.0.0.1 - piranha [19/May/2000:14:01:03 +0200] "GET /piranha/secure/passwd.php3?try1=yyy&try2=yyy&passwd=ACCEPT HTTP/1.0" 200 3120 127.0.0.1 - piranha [19/May/2000:20:58:50 +0200] "GET /piranha/secure/passwd.php3?try1=arkth&try2=arkth&passwd=ACCEPT HTTP/1.0" 200 3120 [arkth@localhost logs]$ _ we can see here all passwds ( the last is the valid one ;) in plain ASCII... :) [ first change was to: "xxx", second: "yyy", third: "arkth" ] on redhat access_log is default world readable. i belive on other os'es too ( but i'm sure not on every ;)) workaroud? bash# chmod 640 /var/log/httpd/access_log greetz: BugzPL, #hackingpl... ar... -- ---------------------------------------------------------- | " some people tell me that i need help, | | some people can fuck off and go to hell... " | | arkth proudly represents BugzPL mailing list :) | | mailto: arkth@team.com.pl, voice: +48 601 081497 | ---------------------------------------------------------- (5195749) ------------------------------------------(Ombruten)