Penetration Testing mailing list archives
Re: [PEN-TEST] Silverstream.
From: Tom Vandepoel <Tom.Vandepoel () UBIZEN COM>
Date: Thu, 11 Jan 2001 12:28:31 +0100
ERisk.CH () CH EYI COM wrote:
I recently did some research on the SilverStream application server and found a number of interesting problems. By default a SilverStream application server is wide open, remote users can do virtually anything. It's extremely important to lock the server down correctly. Unfortunately the SilverStream documentation doesn't help very much (at least it didn't 6 months ago, hopefully SilverStream have improved the doc since then). Also, locking down a SilverStream server is not trivial - there's lots of parameters to change. Many web administrators don't lock their servers down properly... You might like to try the following:
On the latest version, most of these seem to be locked down by default. The admin doc has a large section on security and how to set the permissions correctly. I still don't like the fact that these are still available in band though. All it would take is a vulnerability in the uid checking mechanism to get to these. The latest version does seem to have the possibility to make the admin interface url's only accessible using a separate tcp port.
7. Test if it's possible to view the internal database structure: http://web-server/SilverStream/Meta/Tables?access-mode=text also http://web-server/dbname/SilverStream/Meta/Tables?access-mode=text where dbname is the name of the database.
http://web-server/dbname/SilverStream/Meta/Entities?access-mode=text Gives a listing of the database's table names and access to it doesn't seem to be restricted by default, even in the latest version. Not spectacular by itself, but maybe usefull in combination with something else. Tom. -- Tom Vandepoel Ubizen Sr. Security Engineer We Secure e-Business Phone +32 16 28 70 00 http://www.ubizen.com Fax +32 16 28 71 00 http://www.securitywatch.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: [PEN-TEST] Silverstream. Tom Vandepoel (Jan 11)