Vulnerability

    Cobalt RaQ2

Affected

    Cobalt RaQ1, RaQ2 and RaQ3

Description

    Chuck Pitre posted following.   His user was able to  change admin
    password.  To replicate this bug you must have Site  Administrator
    access to one of the accounts on the server.  When you go into the
    Site Management for a site and select the User Management  option,
    you get  a list  of the  usernames that  have been  setup for that
    account.  The green pencil edit  icon is a command to execute  the
    JavaScript function  modify() and  it passes  the username  as the
    only variable into the function.   To properly execute a  function
    from the Location  Bar in Netscape,  the HTML page  has to be  the
    top frame.  One must simply  open the userList.html file in a  new
    frame.  When  you type "javascript:  modify( 'admin' );"  into the
    Location  Bar,  the  modify()  function  returns  a  URL.  The URL
    returned when accessing it from site is

        http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?username=admin&group=site151&949015199230

    This loads a  standard Modify User  page for the  "admin" account.
    However, when you attempt  to change this information  by clicking
    the "Confirm Modify" button, it returns a JavaScript error because
    the function that it calls  upon is dependant on the  frame layout
    of the Site Management page.  To overcome this issue we'll  simply
    download two HTML files to hard disk.  One is the index.html file,
    other other is the right.html  file.  Basically we can  change the
    index.html file to  call upon the  URL's on your  site and had  it
    load the  right.html file  locally off  your hard  disk.   We then
    change the  right.html file  to load  the URL's  on your  site but
    change the "main" frame source to

        http://207.153.19.154:81/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi?username=admin&group=site151&949015199230

    - the Modify User page for the "admin" account.  It then loads  up
    with  all  the  correct  frames  AND  the Modify User page for the
    "admin" account.  Just enter a new password for the user and click
    "Confirm  Modify"  and  presto!   The  admin  password  is changed
    allowing you access to the Server Management page showing all  the
    server's  clients,  IP  addresses,  domain  names,  and ability to
    access  all  the  client's  contact  people,  telephone   numbers,
    usernames, and passwords.  You can also delete any sites/files  or
    download any sites/files  (full access via FTP to the site showing
    the root directory  of the server,  and the ability  to delete any
    evidence via the /log/ directory).

    Nir Simionovich  added following.   Cobalt QUBE2  machine  suffers
    from serious securiy  flaws.  For  example, the web  GUI interface
    once initiated with the admin password, would remember the station
    you entered from.  Thus, if you don't close your browser, and  you
    change sites, someone can come to your machine, punch up the QUBE2
    admin site, and walla, instant admin.

    Another matter  was the  fact that  the QUBE2  isn't SSL  managed.
    Which made it  very simple for  me to go  and sniff the  passwords
    out on the network.

Solution

    As  for  For  RaQ  3,  through  improper  permissions  checking in
    /.cobalt/siteUserMod/siteUserMod.cgi, any  Site Administrator  can
    change the password of any  regular user or Site Administrator  on
    the system, but not admin(root).

    If your system is at risk you can you can downloaded the  relevant
    package and install it.  These are beta versions of the  packages,
    Cobalt is currently testing these packages.

        RaQ 1 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ1-Security-3.6.pkg
        RaQ 2 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ2-Security-2.94.pkg
        RaQ 3 - ftp://ftp.cobaltnet.com/pub/experimental/security/siteUserMod/RaQ3-Security-2.2.pkg