Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Silverstream.
From: ERisk.CH () CH EYI COM
Date: Tue, 14 Nov 2000 13:30:09 +0100

I recently did some research on the SilverStream application server and
found a number of interesting problems. By default a SilverStream
application server is wide open, remote users can do virtually anything.
It's extremely important to lock the server down correctly. Unfortunately
the SilverStream documentation doesn't help very much (at least it didn't 6
months ago, hopefully SilverStream have improved the doc since then). Also,
locking down a SilverStream server is not trivial - there's lots of
parameters to change. Many web administrators don't lock their servers down
properly...

You might like to try the following:

1. Test if the default username / password has been changed when accessing
the management console
http://web-server/SilverStream/Pages/SMC.html

2. Test if directory listings have been disabled
http://web-server/SilverStream

3. Test if it's possible to read internal configuration info.
http://web-server/SilverStream/Administration

4. Test if it's possible to get a complete list of webbases installed on
the server
(great way to find hidden/test web sites)
http://web-server/SilverStream/Meta/Webbases

5. Test if remote users can shutdown the web server:
silvercmd serverstate web-server shutdown
(alternatively telnet to port 80 and type in the appropriate commands :-(

6. Test if it's possible to view statistics or session info:
http://web-server/SilverStream/Sessions
http://web-server/SilverStream/Statistics

7. Test if it's possible to view the internal database structure:
http://web-server/SilverStream/Meta/Tables?access-mode=text
also
http://web-server/dbname/SilverStream/Meta/Tables?access-mode=text
where dbname is the name of the database.

8. Test if it's possible to access the management console WITHOUT entering
a username or password.
Sorry, I won't give exploit details. HINT, have a closer look at SMC.html

For further possibilities, have a close look at the silvercmd executable -
an attacker can do a LOT of damage with this...

regards

David Hyams
Ernst & Young
Switzerland


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]