• No results found

improper files storage

In document Butterfly - Security Project - 1.0 (Page 72-75)

6. The application vulnerability assessment

6.3. File upload issues

6.3.1. improper files storage

This type of vulnerability is easy to find using different web scanners. Usually they have a long list of different folders/files, which can be found on web servers. The detection of these folders can be very helpful for an attacker, because often the access to them is not properly protected.

The result from NIKTO scanner contains mostly false positives (it warns about it anyway), but the marked line is really interesting case. Let’s try to enter the ‘/files/’ folder in the app. You will be able to see the following screen:

freetest% nikto -host 127.0.0.1 -vhost insecure.butterfly.prv --- - Nikto 1.35/1.34 - www.cirt.net

+ Target IP: 127.0.0.1 + Target Hostname: localhost + Target Port: 80

+ Virtual Host: insecure.butterfly.prv + Start Time: Tue Nov 13 11:01:43 2007

---

- Scan is dependent on "Server" string which can be faked, use -g to override + Server: Apache

+ The root file (/) redirects to: http://insecure.butterfly.prv/login.php?req=/

+ / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default EMC Cellera manager server is running. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Appears to be a default Apache Tomcat install. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Appears to be a default Apache Tomcat install. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default EMC ControlCenter manager server is running. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Appears to be a default Apache install.

+ / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Appears to be a default Apache install. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default Jrun 2 server running.

+ / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Cisco VoIP Phone deafult web server found. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default Sybase Jaguar CTS server running. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default Jrun 3 server running.

+ / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default Lantronix printer found.

+ / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default IBM Tivoli Server Administration server is running. + / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default Jrun 4 server running.

+ / - Redirects to http://insecure.butterfly.prv/login.php?req=/ , Default Xerox WorkCentre server is running.

+ /?D=A - Redirects to http://insecure.butterfly.prv/login.php?req=/?D=A , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.

+ /?M=A - Redirects to http://insecure.butterfly.prv/login.php?req=/?M=A , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.

+ /?N=D - Redirects to http://insecure.butterfly.prv/login.php?req=/?N=D , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.

+ /?S=A - Redirects to http://insecure.butterfly.prv/login.php?req=/?S=A , Apache allows directory listings by requesting. Upgrade Apache or disable directory indexing.

+ // - Redirects to http://insecure.butterfly.prv/login.php?req=// , Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.

+ // - Redirects to http://insecure.butterfly.prv/login.php?req=// , By sending an OPTIONS request for /, the physical path to PHP can be revealed. + /index.php?name=forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%7 5%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 - Redirects to http://insecure.butterfly.prv/login.php?req=/index.php?name=forums&file=viewtopic&t=2&rush=%64%69%72&highlight =%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72 %75%73%68%5d%29.%2527 , phpBB is vulnerable to a highlight command execution or SQL inection vulnerability, used by the Santy.A worm. CERT VU497400. OSVDB-11719.

+ Over 20 "Moved" messages, this may be a by-product of the

+ server answering all requests with a "302" or "301" Moved message. You should + manually verify your results.

+ /files/ - This might be interesting... (GET)

+ Over 20 "Moved" messages, this may be a by-product of the

+ server answering all requests with a "302" or "301" Moved message. You should + manually verify your results.

+ 2563 items checked - 1 item(s) found on remote host(s) + End Time: Tue Nov 13 11:01:59 2007 (16 seconds) --- + 1 host(s) tested

Securing PHP applications

I found the folder where the application stores uploaded files during the ordering procedure. Additionally, on the server side the directory indexing feature is on, therefore I have direct access to all files stored in this folder.

In this way, an attacker can get the access to files of all users of the application and it is completely unauthenticated access. There is no access control here, because the folder storing files was published inside the web server root folder. This kind of bad design results in completely broken access control, because the application doesn’t have any control on this folder.

6.3.1.1. brute-forcing web server folders

Although the usage of Nikto was successful and helped us to discover a hidden ButterFly resource, I would recommend you to use better tool for this purpose. Nikto is a nice tool, but it is more a web security scanner. If you want to check available folders on a tested server, a specialized tool for this purpose will be better.

I recommend using DIRB written by darkraver of Open Labs. It contains some dictionaries, which are good enough against the ButterFly, but generally the usage of better and more comprehensive dictionaries are recommended, which can be downloaded from here.

After downloading the DIRB, unpacking and compilation, let’s try to run it against the ButterFly:

dirb # ./dirb http://insecure.butterfly.prv ---

DIRB v2.00 By The Dark Raver ---

START_TIME: Mon May 12 15:15:57 2008 URL_BASE: http://insecure.butterfly.prv/ WORDLIST_FILES: wordlists/common.txt ---

GENERATED WORDS: 957

---- Scanning URL: http://insecure.butterfly.prv/ ---- + http://insecure.butterfly.prv/cgi-bin/

(FOUND: 403 [Forbidden] - Size: 210) + http://insecure.butterfly.prv/files/ ==> DIRECTORY

---- Entering directory: http://insecure.butterfly.prv/files/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway)

---

DOWNLOADED: 957 - FOUND: 1

As you can see that the default configuration of DIRB detected ‘files’ folder. This is much better and cleaner way of testing the web application structure.

In document Butterfly - Security Project - 1.0 (Page 72-75)
Download now "Butterfly - Security P..."

Outline

Related documents