Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerabilities in Informix Webdriver
From: Joel Michael <joel () DIGGY COM AU>
Date: Thu, 4 Jan 2001 23:57:12 +1000

On 30 Dec 2000 08:34:53 +0800, isno wrote:
Webdriver is the web interface of Informix database,I found it is vulnerable.In the common condition,webdriver is 
submitted with a parameter,but if you type http://victim/cgi-bin/webdriver directly, It will return a webpage which 
you can modify or delete database on it.


When no parameters are passed, the webdriver uses the defaults found in
the web configuration, which is stored within the 'webconfigs' table in
v4 web blade installations, and in the web.cnf file in v3 web blade
installations.  Which default MIval did you set as the default?  By
default, the MIval is set to /default.html, and this page does not even
exist within the database when the web blade is first installed, hence
will give you a 404.  If you could explain a bit more of the
'vulnerable' setup, like which platform both the web server and database
server is on, which versions of Informix engine and web datablade you're
using, and anything else that's relevant, it would be a great help to
me.

Otherwise, webdriver will make a /tmp/.log file,its attribute is -rw-rw-rw,we can make a symlink and get the nobody 
privilege,although without root privilege,we can deface the website as nobody.


In the version of webdriver I'm using on my live servers (4.10.UC1), you
specify the location of the log file in the web.cnf using the debug_file
parameter in the <global> section of the config.  The CGI webdriver will
write to the specified log file as the user/group that the web server is
configured to run CGI as, and writes the file with permissions
-rw-r--r--.  If the webdriver is server-based, it seem as though it
writes as the user the web server was started as (at least with apache,
on my systems it is root/other).

Also, there is no way to alter the web pages unless the AppPage editor
has been installed into the database, and that the target site uses
AppPage editor to edit their site, not DDW, which does not use the same
source table for the html.  Without diving into manuals which I don't
have handy at the moment, I also seem to recall that you need to
authenticate against the wbusers or webusers table, and have the
appropriate page levels set for the user.

--
Joel Michael
Systems Administrator
Diggy Internet Services


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault