97562 2003-04-02 23:39 /56 rader/ Ben Maynard <liliafan@yahoo.co.uk> Importerad: 2003-04-02 23:39 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: liliafan@yahoo.co.uk Mottagare: Bugtraq (import) <4303> Ärende: Viewpoint Server ------------------------------------------------------------ ------------------------------- Application: Viewpoint Server Vendor: DS Ltd Language: Shell OS: Unixes Discovered: Ben Maynard <bmaynard(at)voodoox(dot)net> ------------------------------- Application Description: Viewpoint server is a web application that allow users to view catalogs at their local library, additionally viewpoint allows users to reserve books and even query their accounts to see what they have in the way of fines and outstanding books. Application Problem: When a user queries the database the application creates a file in the /tmp directory which is then read and printed to the screen, this filename is passed in clear text to the browser, this allows the user to enter any file name their choose including, "/etc/passwd". The security implications of this are obvious, it is also possible to read the database data devices through the browser so the possibility exists for a users to write an interface to translate these files, thus getting personal details on the users in that library district. Exploit Severity: Severe ability to read the majority of files on the system and the ability to exploit the database to personal details on all users. As a additional problem this software is used by the majority of internet connected libraries in the united kingdom. Action Taken: I notified the authors through my local library > 5 months ago, 40 days ago the problem still existed so I contacted DS directly and spoke to the author he promised a fix I checked today and it appears to have been quitely fixed. __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer (97562) /Ben Maynard <liliafan@yahoo.co.uk>/--------