exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 04-07-13.1

Atstake Security Advisory 04-07-13.1
Posted Jul 14, 2004
Authored by David Goldsmith, Atstake | Site atstake.com

Atstake Security Advisory A071304-1 - 4D WebSTAR versions 5.3.2 and below suffer from numerous vulnerabilities that allow for an attacker to escalate privileges or obtain access to protected resources. These include a remotely exploitable pre-authentication FTP overflow, directory indexing of any directory on the host, file disclosure of PHP.INI, and local privilege escalation and file overwrite via symbolic links.

tags | advisory, overflow, local, php, vulnerability
SHA-256 | 3687cf4f4805ebd7619c3a629f029fcea5cc0d6baf1031b38b9528d9e63c3d7c

Atstake Security Advisory 04-07-13.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: WebSTAR 5.3.2 Multiple Vulnerabilities
Release Date: 07/13/2004
Application: WebSTAR 5.3.2 and below
Platform: MacOS X 10.3.3 and below
Severity: A remote attacker can obtain root privileges
A remote attacker can get directory listings of
any directory
A remote attacker can obtain copies of the PHP
configuration file
A local attacker can obtain root privileges
Author: Dave G. <daveg@atstake.com>
Vendor Status: Upgrade with fix available
CVE Candidate: Candidate number applied for
Reference: www.atstake.com/research/advisories/2004/a071304-1.txt


Overview:

4D WebSTAR is a software product that provides Web, FTP, and Mail
services for Mac OS X. There are numerous vulnerabilities that allow
for an attacker to escalate privileges or obtain access to protected
resources.


Details:

Issue #1: Remotely Exploitable Pre-Authentication FTP overflow

There is a stack based buffer overflow within the FTP service. An
attacker can take advantage of this overflow by sending in a long
FTP command. This can happen prior to authentication. A long FTP
command will trigger a stack based memory trespass. Upon successful
exploitation, an attacker will have the privileges of the 'webstar'
user and group id 'wheel'. An attacker can gain administrative
privileges by taking advantage of Issue #4.

Issue #2: Directory Indexing of Any Directory on Host

One of the sample scripts included with WebSTAR
(/cgi-bin/ShellExample.cgi) can be used to gain a directory listing
of any directory on the server. This is done by sending in a path
to the directory followed by an asterisk ("*") as the query string.

Issue #3: File Disclosure of PHP.INI

There is a vulnerability within the WebServer that allows an attacker
to download the php.ini files located within the /cgi-bin and
/fcgi-bin directories. This can contain sensitive information about
the WebServer and the Database Server, potentially including the
account and password used by PHP to communicate with the database.

Issue #4: Local Privilege Escalation and File Overwrite Via Symbolic
Links

WebSTAR will attempt to open up files via a relative path from the
current working directory. An attacker can use this vulnerability
to overwrite files with the private key of the WebServer. Due to a
default umask that creates files with global read and write
privileges, an attacker create files related to the cron subsystem
that will allow a local attacker to obtain administrative privileges.


Disclosure Timeline:

Vendor notified: 04/05/2004
Fix available: 07/08/2004
Advisory released: 07/13/2004


Vendor Response:

4D has released an upgrade for 4D WebSTAR.

Download WebSTAR 5.3.3:
ftp://ftp.4d.com/products/webstar/current/4d_webstar_v/4d_webstar_v.sit

Bug Fix information [URL wraps]:
ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/
PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt


@stake Recommendation:

Upgrade to WebSTAR 5.3.3.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

Candidate number applied for.

@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


Copyright 2004 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQPQxIke9kNIfAm4yEQLbIgCgsrFg/DE5Ii0ffHbFBFCDO97tLt0An2mp
8SBDZp4zgSuy8km28YQX+8CW
=4aqN
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close