Vulnerability

    RBS

Affected

    Extent RBS 2.63 (possibly others; 2.5 is vulnerable)

Description

    'obscure'  found  following.   Any  user  can  get any file on the
    server.   Extent  RBS  ISP  is  a  full OSS package which combines
    RADIUS, user management, Web signup, billing, invoicing and  other
    valuable  features  that  let  you  grow  your IP service provider
    business.

    Extent RBS allows users to register a new subscription via  Credit
    Card  through  their  web  browser.   The  problem is that the web
    server  does  not  check  for  directory  transversal when reading
    image files.   Thus any file  available on the  same partition (in
    WinNT  or  any  file  on  the  *NIX  system)  which Extent RBS has
    permissions  to  read,  can  be  read  by  a malicious user.  This
    includes retrieving credit  card details, usernames  and passwords
    and more, which are stored in

        %HOMEDRIVE%\Program Files\<program directory>\database\rbsserv.mdb

    The URL relative to this file would be:

        http://localhost:8002/Newuser?Image=../../database/rbsserv.mdb

    The malicious user  (attacker/hacker/whatever) would just  connect
    to port 8002 of the Extent RBS ISP which allows anonymous  access,
    and retrieve  any file  on the  system like  Credit Card  Numbers,
    usernames and  passwords which  are stored  in RBSserv.mdb,  by pa
    ssing the  URL template  included below.   This assumes  that NTFS
    permissions are left in their default state.  URL template:

        http://<ip address>:8002/NewUser?image=<location of file to retrieve relative to the webroot directory>

    This has been only tested in WinNT version of Extent RBS.

Solution

    Vendor was  contacted and  has confirmed  of issueing  a patch for
    WinNT, Linux and SunOS.