piranha/secure/passwd.php3:
Piranha is a utility which comes with Red Hat Linux for administering the
Linux Virtual Server. It comes with a default backdoor password which
could allow unauthorized access to the Graphical User Interface (GUI).
By exploiting vulnerabilities in the tools that come with the GUI, an
attacker who knows the backdoor password could execute arbitrary commands
on the server. Any server which has piranha-gui 0.4.12 installed, which
is the default for Red Hat 6.2, is vulnerable.
cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application.
By default, it has a backdoor password of "wemilo". An attacker who
knows this password could view a list of client passwords using an
undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist.
The hashed client passwords could be used to execute arbitrary commands
on the server using a specially crafted URL.
emurl/RECMAN.dll:
CVE 2000-0397
SeattleLab's Emurl
2.0 and earlier versions authenticate users
with a simple ASCII encoding scheme based on the user's login name.
This makes it possible to read other users' mail, reconfigure their
accounts, or steal their POP passwords.
guestbook:
CVE 1999-0237
Selena Sol's guestbook CGI program could allow an
attacker to execute arbitrary commands on the server if
server side includes are enabled.
excite:
CVE 1999-0279
Excite for Web Servers
does not sufficiently check
queries for special characters before passing them to
a shell. It is possible for a remote attacker to execute
arbitrary commands on the server by exploiting this condition.
Excite 1.1 for either Unix or Windows NT is affected by this
vulnerability if patches have not been applied after 1/16/98.
site/eg/source.asp:
Apache::ASP
comes with a sample script which can be exploited to write
to files in the same directory as the script. Versions
prior to 1.95 are vulnerable.
w3-msql:
CVE 2000-0012
Mini SQL
has a buffer overflow condition which could allow a remote attacker
to execute arbitrary commands on the server. Versions 2.0.4.1 through
2.0.11 for Unix and Linux are affected by this vulnerability.
wais.pl:
This script is a web interface to the waisq
client. A vulnerability in wais.pl could allow a remote user
to set command-line options through input parameters, thereby
overwriting files on the server. This vulnerability also
exposes a buffer overflow condition in waisq.
cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h)
to something else. Also change the permissions on c32web.exe
so that it is only accessible by administrators. This will prevent
unauthorized users from executing arbitrary commands using a specially
crafted URL. Alternatively, apply the patch developed by
L0pht.
emurl/RECMAN.dll:
Replace Emurl
with a version higher than 2.0.
guestbook:
Disable server side includes. If this is not possible,
or for additional security protection, make the following changes
to the guestbook setup file:
excite:
Install the
patch.
site/eg/source.asp:
Either delete the script, or upgrade to
Apache::ASP
version 1.95 or higher.
w3-msql:
Apply the patch which can be found in the
X-Force
Advisory.
wais.pl:
In waisq.pl, change @query to $pquery
at the end of the line that begins with "open(WAISQ".
As an additional precaution,
recompile waisq with the following change
in the source code:
char pathname[MAX_FILENAME_LEN+1];to
char pathname[MAX_FILENAME_LEN*2+1];
cart32.exe:
See the
Cerberus Advisory.
emurl/RECMAN.dll:
See the
Bugtraq posting.
guestbook:
See the
X-Force Advisory.
excite:
See the
X-Force Advisory.
site/eg/source.asp:
See the
Bugtraq posting.
w3-msql:
See the
X-Force Advisory.