-------------------------------------------------------------------- Dear Bugtraq Readers, I wasn't sure if this advisory deserved space on the bugtraq mailing list but as a friend of mine helped me to remember. "All security flaws are important no matter what their size". I guess ill go ahead, hit send and let you decide. -BrainRawt -------------------------------------------------------------------- SWS (StepWeb Search Engine) Administrative Access Vulnerability Disovered By BrainRawt. Vulnerable: SWS 2.5 (free version) and possibly others. SWS Gold maybe? About SWS: ---------------- SWS is a search engine downloadable at www.stepweb.com, that can find one or more words in a flat file database where URLs have been and then prints the results to the screen in an html format. Vendor Contact: ---------------- 4-01-02 - An email was sent to stepweb.com discussing this issue. No Reply Yet!!! Vulnerability: ---------------- SWS comes with an administration page that allows one to add/del addresses to/from the database and allows one to view the log file that stores all searched items. This page is known as admin.html can normally be found in the same dir as the search engine itself. This page is directed to a password protected cgi script known as manager.pl. Not only does the admin.html point to the manager.pl, but it also stores the password in the html links as shown below. http://www.mysite.com/cgi-bin/sws/manager.pl?add&pass=PassWord http://www.mysite.com/cgi-bin/sws/manager.pl?del&pass=PassWord http://www.mysite.com/cgi-bin/sws/manager.pl?log&pass=PassWord Exploit: ---------------- If one was to find the location of the "admin.html" file, that person could easily add addresses to the search database or view the log file that stores all searches made by users of the engine. Deletion of addresses can not be made, for they are individually password protected and passwords are stored in an unaccessable .dat file. EXAMPLE: http://www.mysite.com/sws/admin.html and click the links. The hardcoded links will do the rest. SHEESH!!!! Fix: --------------- NONE AT THE TIME OF THIS WRITING! My advice is to place the admin.html in a directory protected by .htaccess or rewrite the html so that the user must input the password instead of click on it. :) -------------------------------------------------------------------- _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx