Full Disclosure mailing list archives
Re: H-Sphere
From: "KF (lists)" <kf_lists () digitalmunition com>
Date: Mon, 09 May 2005 11:14:57 -0400
In some cases the unix hsphere installer leaves the user unixtest with a pass of unixtest1 and ftptest with a pass of ftptest1 laying behind. These accounts usually have a normal shell access.
This software is NOT very fun to work with from an admin standpoint! -KF Morning Wood wrote:
------------------------------------------------------------ - EXPL-A-2005-007 exploitlabs.com Advisory 036 - ------------------------------------------------------------ - H-Sphere - AFFECTED PRODUCTS ================= H-Sphere Winbox Positive Software Corporation https://www.psoft.net OVERVIEW ======== H-Sphere is a scalable multiserver web hosting solution. It has many advanced features and a sophisticated billing system to automate and improve your web hosting tasks. H-Sphere was designed to work on many servers and can be scaled by adding more web, mail, database, and DNS servers without any downtime. It provides a simple, easy-to-use web interface that can be maintained from any computer with internet connection. H-Sphere was written in Java and works with any SQL-compliant database. DETAILS ======= 1. local user/pass information disclosure Item 1 --------- While performing administration duties for domain management, HSPHERE writes log information containing domain information and user/password combinations. C:\HSphere.NET\log action.log <--- stores user/pass resources.log <--- stores user/pass example: [0/00/2005 0:00:00 AM] Thread: 0000; Requested method "account.update" with parameters resourcename=account, username=theuser, password=thepassword on windows machines running HSPHERE, the default install does not restrict permissions to this folder, allowing less priveleged users to read account information. SOLUTION: ========= Psoft has been contacted and a patch released it is available at: http://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html Credits ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner mail: wood at exploitlabs.com mail: morning_wood at zone-h.org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- H-Sphere Morning Wood (May 09)
- Re: H-Sphere KF (lists) (May 09)