HTTP Potential Problems

Impact

The web server contains an application which may have a vulnerability. If the vulnerability is present, an unauthorized user could read files, change files, or execute commands on the server.

Background/Problems

Various programs which may be installed with certain Web servers are vulnerable to exploitation. These include:

piranha/secure/passwd.php3:
Piranha is a utility which comes with Red Hat Linux for administering the Linux Virtual Server. It comes with a default backdoor password which could allow unauthorized access to the Graphical User Interface (GUI). By exploiting vulnerabilities in the tools that come with the GUI, an attacker who knows the backdoor password could execute arbitrary commands on the server. Any server which has piranha-gui 0.4.12 installed, which is the default for Red Hat 6.2, is vulnerable.

cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application. By default, it has a backdoor password of "wemilo". An attacker who knows this password could view a list of client passwords using an undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist. The hashed client passwords could be used to execute arbitrary commands on the server using a specially crafted URL.

Resolutions

piranha/secure/passwd.php3:
Upgrade the piranha-gui package to version 0.4.13-1 or higher.

cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h) to something else. Also change the permissions on c32web.exe so that it is only accessible by administrators. This will prevent unauthorized users from executing arbitrary commands using a specially crafted URL. Alternatively, apply the patch developed by L0pht.

Where can I read more about this?

piranha/secure/passwd.php3:
See the X-Force advisory.

cart32.exe:
See the Cerberus Advisory.