Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5731.htm

Multiple Vulnerabilities in SuperScout Web Reports Server



3rd Oct 2002 [SBWID-5731]
COMMAND

	Multiple Vulnerabilities in SuperScout Web Reports Server

SYSTEMS AFFECTED

	SurfControl SuperScout WebFilter

PROBLEM

	In Matt Moore [matt@westpoint.ltd.uk] advisory [ID#:wp-02-0005] :
	

	 Usernames and Passwords Retrievable.

	 ------------------------------------

	

	The file located at:
	

	http://reports-server:8888/surf/scwebusers

	

	contains the usernames and  passwords  for  each  user  of  the  reports
	server. The usernames are  in  plain  text,  whilst  the  passwords  are
	encrypted.
	

	 Weak Encryption

	 ---------------

	

	The encryption is implemented via a simple JavaScript, located at:
	

	http://reports-server:8888/surf/JavaScript/UserManager.js

	

	The EncryptString  function  takes  two  parameters  'text  string'  and
	'key'.
	

	Unfortunately, the key is hard-coded into  another  javaScript  function
	and hence it is trivial to decrypt the passwords. (The key is 'test').
	

	The default administrative password, '3&8>>' decrypts to 'admin'.
	

	As a result of this, an attacker can access  any  reports  available  on
	the server.
	

	 DoS via Large GET request

	 -------------------------

	

	Repeated large GET requests cause the reports service  to  consume  100%
	CPU, at which point it no longer  services  requests.  The  server  does
	appear to recover eventually. However, this was not tested extensively.
	

	 Triple Dot Directory Traversal

	 ------------------------------

	

	An attacker can retrieve any file on the server via a  simple  directory
	traversal attack, e.g.
	

	http://reports-server:8888/.../.../.../.../.../.../.../winnt/win.ini

	

	 SQL Injection Vulnerability

	 ---------------------------

	

	The various reports available are  implemented  as  .dll's.  Several  of
	these perform no input validation, and hence  it  is  possible  that  an
	attacker could execute arbitrary SQL queries against the database:
	

	http://reports-server:8888/SimpleBar.dll/RunReport ?...<various parameters>

	

	 Note:

	 -----

	

	The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search  for
	this returned the following link:
	

	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/ 

	

	html/_sample_mfc_httpsvr.asp

	

	The reports server appears to be based  on  a  sample  application  from
	Microsoft. Other  servers  based  on  this  may  be  vulnerable  to  the
	directory traversal and DoS attacks.

SOLUTION

	No patch available. Vendor supplied workaround:
	

	Disable the reports server and consider using a terminal session to  the
	server to access the reports.
	

	This advisory is available online at:
	

	http://www.westpoint.ltd.uk/wp-02-0005.txt

	

	

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH