Informix Webdriver Remote Administration Access Vulnerability
BID:2166
Info
Informix Webdriver Remote Administration Access Vulnerability
| Bugtraq ID: | 2166 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Dec 30 2000 12:00AM |
| Updated: | Dec 30 2000 12:00AM |
| Credit: | Reported to bugtraq by isno <[email protected]> on December 30, 2000 |
| Vulnerable: |
Informix Webdriver 1.0 |
| Not Vulnerable: | |
Discussion
Informix Webdriver Remote Administration Access Vulnerability
Informix Webdriver, the web-to-DB interface used by Informix database products, may permit unauthorized remote access to the system's administration functions.
Under very specific circumstances, if webdriver is called directly, without any additional parameters included in the URL submitted to the server, the response will take the form of a remote administration page which can permit a malicious non-local user to modify or delete database information.
John Wright <[email protected]> notes that this vulnerability will only be exploitable under a particular misconfiguration, and that by default, the above-described URL will result only in a "404 Asset not found", etc, and not in the display of a remote administration page.
Informix Webdriver, the web-to-DB interface used by Informix database products, may permit unauthorized remote access to the system's administration functions.
Under very specific circumstances, if webdriver is called directly, without any additional parameters included in the URL submitted to the server, the response will take the form of a remote administration page which can permit a malicious non-local user to modify or delete database information.
John Wright <[email protected]> notes that this vulnerability will only be exploitable under a particular misconfiguration, and that by default, the above-described URL will result only in a "404 Asset not found", etc, and not in the display of a remote administration page.
Exploit / POC
Informix Webdriver Remote Administration Access Vulnerability
http://example.com/cgi-bin/webdriver
http://example.com/cgi-bin/webdriver
Solution / Fix
Informix Webdriver Remote Administration Access Vulnerability
Solution:
John Wright <[email protected]> notes that logs may be disabled, or moved and placed in secured locations on disk.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
John Wright <[email protected]> notes that logs may be disabled, or moved and placed in secured locations on disk.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Informix Webdriver Remote Administration Access Vulnerability
References:
References: