QNX Voyager Webserver多个漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105986 漏洞类型 设计错误
发布时间 2000-09-01 更新时间 2006-09-25
CVE编号 CVE-2000-0904 CNNVD-ID CNNVD-200012-090
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20207
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-090
|漏洞详情
QNX405的示范磁盘中Voyagerweb服务器2.01B版本储存web档案根.photon目录的敏感web客户端信息。远程攻击者借助该漏洞获得信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/1648/info
 
The web server supplied with the QNX Voyager demo disk contains several vulnerabilities.
 
First, Voyager will follow relative paths passed to it in requests. This includes ../ style paths, which will allow Voyager to serve pages outside of the "document root".
Another vulnerability is that the web server does not have sufficient security restrictions - this means that the web server can access any file, including protected files and special /dev entries.
 
As well, due to the integration of the web browser and web server, information used by the Photon GUI is easily exposed by requesting files under /.photon/. Additionally, html files generated by the web browser (error messages, for example) and the QNX configuration interface share the same directory as published html files.
 
While the Voyager web server is not intended to be used in a production environment, and is in fact intended only to be a demo of the QNX OS, users should be aware of these design errors.

[Revealing] URLS include...
http://target/.photon/voyager/config.full
The web client's settings file
http://target/.photon/voyager/history.html
Recently visited sites
http://target/.photon/voyager/hotlist
The list of book-marked sites
http://target/.photon/pwm/pwm.menu
The Photon Window Manager menu listing (Equivalent to MS Windows' 'start
menu')
http://target/.photon/phdial/connection [Modem build only]
|参考资料

来源:BID
名称:1648
链接:http://www.securityfocus.com/bid/1648
来源:BUGTRAQ
名称:20000901MultipleQNXVoyagerIssues
链接:http://www.securityfocus.com/archive/1/79956