|
|
| Line 1: |
Line 1: |
| − | =Able to run arbitrary executables on Windows Terminal server=
| |
| − | *<B>Type</B>: Local arbitrary code execution
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| | | | |
| − | Microsoft Windows' bootloader by default checks the header of the executable it is given, to determine whether it is an EXE, BAT or COM file, and automatically runs it as the proper type. The current configuration on the Nikhef Windows Terminal Server blocks the loading of arbitrary EXE and COM files, but not arbitrary BAT files. Thus, by renaming the file extension from EXE to BAT, this security feature is circumvented, and the executable executed.
| |
| − |
| |
| − | =PHP scripts on webserver run under 'web' account=
| |
| − | *<B>Type</B>: Local privilege escalation
| |
| − | *<B>Status</B>: <FONT color=blue>Fixed</FONT>
| |
| − |
| |
| − | Any PHP script run on the webserver (by, for example, dropping the scriptfile into the user's public_html directory) executes under the 'web' account. This allows users to escalate their privilege (if the 'web' account has more rights than the user's account).
| |
| − |
| |
| − | =PHP on webserver able to reach main filesystem=
| |
| − | *<B>Type</B>:
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | The PHP installation running on the webserver is able to reach the main filesystem (at least the *nix side) without any problems. In fact, several directories are exposed to the web (by design). This allows PHP scripts to access the filesystem, and (if rights permit) even write to the filesystem.
| |
| − |
| |
| − | =PHP on webserver able to exec arbitrary executables=
| |
| − | *<B>Type</B>:
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | Using PHP's built-in 'exec' command, a PHP script can run arbitrary executables on the webserver.
| |
| − |
| |
| − | =World-writable folder(s) on webserver=
| |
| − | *<B>Type</B>:
| |
| − | *<B>Status</B>: <FONT color=yellow>Partially fixed</FONT>
| |
| − |
| |
| − | There are several world-writable files and folders that are served by the webserver, allowing a local user to put content on the website. Main example: /public/www/pub. Was used to deface the Nikhef Travel Booking system (this one is fixed). Various others remain. (Mostly 'registration participant' files.)
| |
| − |
| |
| − | =Password file of Nikhef travel system externally reachable=
| |
| − | *<B>Type</B>:
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | The password file of the Nikhef Travel Booking system is externally reachable by URL: [http://www.nikhef.nl/pub/travel/config.inc http://www.nikhef.nl/pub/travel/config.inc]. The Urenregistratie system has a similar file (geheim.php), but this is both protected by being having a PHP extension, and, more importantly, not being accessible by other accounts. However, it is readable by the webserver (obviously), so a simple dump-content-of-file PHP script is able to display the contents of this file anyway.
| |
| − |
| |
| − | =Nikhef travel system has full PHP error reporting enabled=
| |
| − | *<B>Type</B>: Information disclosure
| |
| − | *<B>Status</B>: <FONT color=blue>Fixed</FONT>
| |
| − |
| |
| − | All the PHP error reporting functions are enabled in the Nikhef Travel Booking system. Whenever any exception occured, full error information (what error, file (with fill path) and linenumber) are displayed to the external user.
| |
| − |
| |
| − | =Nikhef travel system leaks logged-in status of users=
| |
| − | *<B>Type</B>: Information disclosure
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | Using, for example, the URL: http://www.nikhef.nl/pub/travel/reizen.php?cmd=1&als=0&gebruiker=XXX, where 'XXX' is a user ID, the Travel system will respond differently whether a user is logged in (= has a session defined in the database) or not. Logged in users will produce a "Session corrupt" page, while not logged in users will actually produce a PHP error message.
| |
| − |
| |
| − | =Unauthenticated external requests can logout any user from the Nikhef travel system=
| |
| − | *<B>Type</B>: Denial of service
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | By retrieving the http://www.nikhef.nl/pub/travel/reizen.php?cmd=72&als=1&gebruiker=XXX page, the session of user 'XXX' (user ID) is removed from the database. (cmd 72 is the log out command.) This is because the Travel system does not verify the session of the caller before processing this command.
| |
| − |
| |
| − | =Nikhef travel system database reachable from non-webserver computers=
| |
| − | *<B>Type</B>:
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | It is possible to connect to the MySQL server hosting the Travel system database from other computers than the webserver.
| |
| − |
| |
| − | =Copy (unmodified) of Nikhef travel system is fully functional=
| |
| − | *<B>Type</B>:
| |
| − | *<B>Status</B>: <FONT color=red>Not fixed</FONT>
| |
| − |
| |
| − | A copy of the Nikhef Travel system hosted from a user's public_html folder is fully functional. Since the source-code is directly copyable, this is trivially done. Also, with minor modifications (such as: disabling the password checks) it is possible to host a version of the system allowing anybody to log in as anybody else.
| |