ContentKeeper 帐号口令信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193357 漏洞类型 设计错误
发布时间 2006-09-27 更新时间 2006-09-28
CVE编号 CVE-2006-5018 CNNVD-ID CNNVD-200609-500
漏洞平台 N/A CVSS评分 4.0
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100005
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-500
|漏洞详情
ContentKeeper是一款先进的Internet内容过滤器,允许组织监控和管理对Internet资源的访问。ContentKeeper在保存处理用户的口令时存在漏洞,远程攻击者可能利用此漏洞非授权获取帐号信息。管理员可以通过浏览器管理ContentKeeper的前端。由于ContentKeeper没有哈希加密已有的用户口令,因此用户可以通过请求管理页面导致将每个帐号的明文口令注入到FORM元素的口令输入框中并返回给客户端。
|漏洞EXP
aushack.com - Vulnerability Advisory
-----------------------------------------------
Release Date:
 22-Sep-2006

Software:
 ContentKeeper Technologies - ContentKeeper
 http://www.contentkeeper.com/

"ContentKeeper is an industry leading Internet content filter that allows
 organisations to monitor, manage, control & secure staff access to
 Internet resources."

Versions affected:
 ContentKeeper 123.25 and below.

Vulnerability discovered:

A design flaw in the user administration interface reveals account
 passwords inside the HTML source code. Any authenticated user with
 appropriate access to the user administration page may use this
 information to compromise the accounts on other systems.

Vulnerability impact:

Low - Unauthorised password disclosure may result in other system account
       breaches where the revealed password has been reused.

Vulnerability information

The appliance is administered by use of a web browser HTML based front
 end. Authenticated users have access to the account administration page,
 whereby they can administer existing usernames, reset passwords, create
 and delete accounts etc. The appliance does not hash the existing user
 passwords. When the page is requested, the plaintext password for each
 account is inserted into the password input value of the FORM element
 and sent to the client.

Example:
  https://contentkeeperbox/cgi-bin/ck/changepw.cgi

This will return all user details. By viewing the page source,
  the password of each account is revealed.

E.g. for user 'root' with a password of 'it_isAs3cret':

<form>
  <input name="username" type="text" value="root">Username:
  <input type="password" name="password" value="it_isAs3cret">Password:
  ..
  <input name="username" type="text" value="rootBackup">Username:
  <input type="password" name="password" value="IamF0rgetful">Password:
  </form>

It may be possible to extract this information from the browser cache,
  however the HTML content is set to expire immediately.

Solution:
 None yet, do not reuse passwords. Future versions may hash the value.

References:
 aushack.com advisory
 http://www.aushack.com/advisories/200606-contentkeeper.txt

Credit:
 Patrick Webster (patrick (at) aushack (dot) com [email concealed])

Disclosure timeline:
 15-Mar-2006 - Discovered during quick audit - common design flaw.
 08-Jun-2006 - Sent to ContentKeeper support.
 12-Jun-2006 - Vendor response, update expected July 2006.
 22-Sep-2006 - Public disclosure.

EOF
|参考资料

来源:BID
名称:20152
链接:http://www.securityfocus.com/bid/20152
来源:BUGTRAQ
名称:20060922ContentKeeperAuthenticatedAccessPasswordDisclosure
链接:http://www.securityfocus.com/archive/1/archive/1/446719/100/0/threaded
来源:MISC
链接:http://www.aushack.com/advisories/200606-contentkeeper.txt
来源:XF
名称:contentkeeper-html-password-disclosure(29113)
链接:http://xforce.iss.net/xforce/xfdb/29113
来源:SECTRACK
名称:1016915
链接:http://securitytracker.com/id?1016915
来源:SREASON
名称:1639
链接:http://securityreason.com/securityalert/1639