TUCoPS :: Web :: Servers :: web4880.htm

Xitami Webserver clear text password storage vulnerability
27th Nov 2001 [SBWID-4880]
COMMAND

	Xitami Webserver clear text password storage vulnerability

SYSTEMS AFFECTED

	Xitami Webserver 2.4d9, 2.5b5 beta

PROBLEM

	In advisory from Larry W. Cashdollar Vapid  Labs  [http://vapid.dhs.org]
	:
	

	The webserver administrator password is stored  clear-text  in  a  world
	readable file. A local user can use  the  webserver  admin  password  to
	gain control of (by default) root owned xitami process. The  server  can
	then be reconfigured by the malicious user  (locally  unless  configured
	to allow remote administration)  to  read  sensitive  system  files  and
	execute commands as root.
	

	During installation the administrator is asked to enter an  account  and
	username password used to access  the  web  administrator  function.  By
	default administration of the webserver is only allowed from  localhost.
	This information is stored in a file called default.aut
	 

	[lwcash@mathom xitami]$ ls -l defaults.aut

	-rw-r--r--    1 root     root          107 Nov 23 10:56 defaults.aut

	

	

	If the server is configured by default (just hitting  enter  when  asked
	to enable remote web administration) then  a  local  user  can  use  the
	admin password stored in the above file  to  reconfigure  the  webserver
	and among other things change the cgi-bin directory to /tmp/cgi-bin.  By
	default the server runs as root and does not drop privledges.
	

	I did the following:
	 

	[lwcash@mathom ~ $] echo \"#!/bin/sh\" > /tmp/cgi-bin/test.cgi

	[lwcash@mathom ~ $] echo \"chmod 666 /etc/passwd\" >> /tmp/cgi-bin/test.cgi

	[lwcash@mathom ~ $] chmod 555 /tmp/cgi-bin/test.cgi

	

	The following URL will execute our cgi as root:
	 

	http://localhost/tmp/cgi-bin/test.cgi

	

	If the server has been configured to allow remote  administration,  then
	the above url can be accessed remotely.
	

	

SOLUTION

	Configuration files that store sensitive information  should  have  very
	restrictive file  permissions.  Passwords  should  never  be  stored  in
	clear-text, they should be stored at least as a one way hash.
	

	Configure xitami to run as nobody.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH