Re: [PEN-TEST] Silverstream.

[Tom Vandepoel <Tom.Vandepoel () UBIZEN COM>]

ERisk.CH () CH EYI COM wrote:
> I recently did some research on the SilverStream application server and
> found a number of interesting problems. By default a SilverStream
> application server is wide open, remote users can do virtually anything.
> It's extremely important to lock the server down correctly. Unfortunately
> the SilverStream documentation doesn't help very much (at least it didn't 6
> months ago, hopefully SilverStream have improved the doc since then). Also,
> locking down a SilverStream server is not trivial - there's lots of
> parameters to change. Many web administrators don't lock their servers down
> properly...
>
> You might like to try the following:

On the latest version, most of these seem to be locked down by default.
The admin doc has a large section on security and how to set the
permissions correctly. I still don't like the fact that these are still
available in band though. All it would take is a vulnerability in the
uid checking mechanism to get to these. The latest version does seem to
have the possibility to make the admin interface url's only accessible
using a separate tcp port.

> 7. Test if it's possible to view the internal database structure:
> http://web-server/SilverStream/Meta/Tables?access-mode=text
> also
> http://web-server/dbname/SilverStream/Meta/Tables?access-mode=text
> where dbname is the name of the database.

http://web-server/dbname/SilverStream/Meta/Entities?access-mode=text

Gives a listing of the database's table names and access to it doesn't
seem to be restricted by default, even in the latest version. Not
spectacular by itself, but maybe usefull in combination with something
else.

Tom.

--
Tom Vandepoel                 Ubizen
Sr. Security Engineer         We Secure e-Business
Phone   +32 16 28 70 00       http://www.ubizen.com
Fax     +32 16 28 71 00       http://www.securitywatch.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature