------------------------------------------------------------ - EXPL-A-2005-007 exploitlabs.com Advisory 036 - ------------------------------------------------------------ - H-Sphere - AFFECTED PRODUCTS ================= H-Sphere Winbox Positive Software Corporation https://www.psoft.net OVERVIEW ======== H-Sphere is a scalable multiserver web hosting solution. It has many advanced features and a sophisticated billing system to automate and improve your web hosting tasks. H-Sphere was designed to work on many servers and can be scaled by adding more web, mail, database, and DNS servers without any downtime. It provides a simple, easy-to-use web interface that can be maintained from any computer with internet connection. H-Sphere was written in Java and works with any SQL-compliant database. DETAILS ======= 1. local user/pass information disclosure Item 1 --------- While performing administration duties for domain management, HSPHERE writes log information containing domain information and user/password combinations. C:\HSphere.NET\log action.log <--- stores user/pass resources.log <--- stores user/pass example: [0/00/2005 0:00:00 AM] Thread: 0000; Requested method "account.update" with parameters resourcename=account, username=theuser, password=thepassword on windows machines running HSPHERE, the default install does not restrict permissions to this folder, allowing less priveleged users to read account information. SOLUTION: ========= Psoft has been contacted and a patch released it is available at: http://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html Credits ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://exploitlabs.com/files/advisories/EXPL-A-2005-007-hsphere.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/