TUCoPS :: Web :: Servers

TUCoPS :: Web :: Servers :: wtrends2.htm
Webtrends Enterprise Reporting Server - Several vulnerabilities

Vulnerability WebTrends Enterprise Reportig Server Affected WebTrends Enterprise Reportig Server ver 1.5 Description Manos Megagiannis found following. WebTrends Enterprise Reportig Server ver 1.5 running on Linux or Solaris has the following vulnerabilities: 1) If the WebTrends Enterprise Reporting Server is running as root. Due to file ownership misconfiguration, it may be possible for local users to gain root privileges. 2) WebTrends Enterprise Reporting Server, logs debug information in a world readable and writable file. The debug information may include user-names and passwords stored in clear text. It may be possible for local users to gain unauthorized access to the server as well as to WebTrends administration software. Local users can also modify that file, making the auditing mechanism unsafe. If the server is running without PAM, you have to use their interface to create new users and set their passwords. In that case, by default, everything (including username and password) is stored in clear text in the file "interface.log" with read/write permissions for user, group and other. Any local user can read that file and therefore, if a WebTrends user has also an shell account on the box with the same password, that account can be compromised. Also since everybody has write access to that file, they can alter it, so the auditing purpose of that file is useless. 3) WebTrends Enterprise Reporting Server, stores its user information in files with world read/write permissions. It may be possible for local users to gain unauthorized access to the WebTrends administration software, and/or create a denial of service. All user information is stored in the directory "wtm_wtx/datfiles/users" in the format "username.usr". Those files are with owner/group/other read/write permissions. Any local user, can decrypt the password or even easier alter/delete the user file and therefore create a denial of service. 4) WebTrends Enterprise Reporting Server, stores its profile information in files with world read/write permissions. It may be possible for local users to create a denial of service. How? Same as with the user files all profile information is stored in "wtm_wtx/datfiles/profiles" with owner/group/other read/write permissions. Any local user can alter/delete the profile file and therefore create a denial of service. 5) On WebTrends Enterprise Reporting Server, the default installation has blank administrator password. A remote user may be able to gain administrative priviledges to the WebTrends administration software. If a local user has (or gains) uid or gid bin can gain root privileges. The WebTrends directories with the script (executed as root) are owned by user bin, group bin, and read/write/execute permissions for owner and group. Therefore someone can write a simple perl script that will be executed as root. Solution You can run the server as root or as some other user. In order to use PAM (Pluggable Authentication Module) it has to run as root. Also they have some entry in the configuration file, that you specify what user the front end will run as, but.... the front end just interfaces to the server that runs as root anyway. Therefore you can still do whatever you want. No proper solution yet.