mailing list archives
Re: [PEN-TEST] Silverstream.
From: ERisk.CH () CH EYI COM
Date: Tue, 14 Nov 2000 13:30:09 +0100
I recently did some research on the SilverStream application server and
found a number of interesting problems. By default a SilverStream
application server is wide open, remote users can do virtually anything.
It's extremely important to lock the server down correctly. Unfortunately
the SilverStream documentation doesn't help very much (at least it didn't 6
months ago, hopefully SilverStream have improved the doc since then). Also,
locking down a SilverStream server is not trivial - there's lots of
parameters to change. Many web administrators don't lock their servers down
You might like to try the following:
1. Test if the default username / password has been changed when accessing
the management console
2. Test if directory listings have been disabled
3. Test if it's possible to read internal configuration info.
4. Test if it's possible to get a complete list of webbases installed on
(great way to find hidden/test web sites)
5. Test if remote users can shutdown the web server:
silvercmd serverstate web-server shutdown
(alternatively telnet to port 80 and type in the appropriate commands :-(
6. Test if it's possible to view statistics or session info:
7. Test if it's possible to view the internal database structure:
where dbname is the name of the database.
8. Test if it's possible to access the management console WITHOUT entering
a username or password.
Sorry, I won't give exploit details. HINT, have a closer look at SMC.html
For further possibilities, have a close look at the silvercmd executable -
an attacker can do a LOT of damage with this...
Ernst & Young