CWE-650, HTTP Put, Upload Data, Malicious Content, DORK, GHDB, primeworld.com

CWE-650: Trusting HTTP Permission Methods on the Server Side

Report generated by XSS.CX at Thu Apr 21 16:13:16 CDT 2011.

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading

1. HTTP PUT enabled

2. ASP.NET debugging enabled

3. Cookie without HttpOnly flag set

4. Robots.txt file


1. HTTP PUT enabled  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://primeworld.com
Path:   /

Issue detail

HTTP PUT is enabled on the web server. The file /7e3171d6f3b2563.txt was uploaded to the server using the PUT verb, and the contents of the file were subsequently retrieved using the GET verb.

Issue background

The HTTP PUT method is used to upload data which is saved on the server at a user-supplied URL. If enabled, an attacker can place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.

Issue remediation

You should refer to your platform's documentation to determine how to disable the HTTP PUT method on the server.

Request 1

PUT /7e3171d6f3b2563.txt HTTP/1.0
Host: primeworld.com
Content-Length: 16

72aa57dd98e41b7f

Response 1

HTTP/1.1 201 Created
Connection: close
Date: Thu, 21 Apr 2011 21:05:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://primeworld.com/7e3171d6f3b2563.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

Request 2

GET /7e3171d6f3b2563.txt HTTP/1.0
Host: primeworld.com

Response 2

HTTP/1.1 200 OK
Content-Length: 16
Content-Type: text/plain
Last-Modified: Thu, 21 Apr 2011 21:05:57 GMT
Accept-Ranges: bytes
ETag: W/"627fb6e8670cc1:114a"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 21:05:56 GMT
Connection: close

72aa57dd98e41b7f
2. ASP.NET debugging enabled  previous  next

Summary

Severity:   Information
Confidence:   Firm
Host:   http://primeworld.com
Path:   /Default.aspx

Issue detail

ASP.NET debugging is enabled on the server. The user context used to scan the application does not appear to be permitted to perform debugging, so this is not an immediately exploitable issue. However, if you were able to obtain or guess appropriate platform-level credentials, you may be able to perform debugging.

Issue background

ASP.NET allows remote debugging of web applications, if configured to do so. By default, debugging is subject to access control and requires platform-level authentication.

If an attacker can successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure which may be valuable in formulating targetted attacks against the system.

Issue remediation

To disable debugging, open the Web.config file for the application, and find the <compilation> element within the <system.web> section. Set the debug attribute to "false". Note that it is also possible to enable debugging for all applications within the Machine.config file. You should confirm that debug attribute in the <compilation> element has not been set to "true" within the Machine.config file also.

It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.

Request

DEBUG /Default.aspx HTTP/1.0
Host: primeworld.com
Command: start-debug

Response

HTTP/1.1 401 Unauthorized
Connection: close
Date: Thu, 21 Apr 2011 21:05:57 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 39

Debug access denied to '/Default.aspx'.
3. Cookie without HttpOnly flag set  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primeworld.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

Request

GET / HTTP/1.1
Host: primeworld.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 21 Apr 2011 21:05:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=je2epyi2k1oklb33ehrmadel; path=/; HttpOnly
Set-Cookie: starttime=starttime=4/21/2011 5:05:56 PM; expires=Thu, 21-Apr-2011 21:06:56 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 76272


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html;charset=ISO-8859-1">
<meta name="generator" content="Adobe GoLive 6">
<title>pri
...[SNIP]...
4. Robots.txt file  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://primeworld.com
Path:   /

Issue detail

The web server contains a robots.txt file.

Issue background

The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site which robots are allowed, or not allowed, to crawl and index.

The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.

Issue remediation

The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honour the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorised access.

Request

GET /robots.txt HTTP/1.0
Host: primeworld.com

Response

HTTP/1.1 200 OK
Content-Length: 74
Content-Type: text/plain
Last-Modified: Wed, 31 Mar 2010 12:41:36 GMT
Accept-Ranges: bytes
ETag: "4963b680cfd0ca1:114a"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 21:05:56 GMT
Connection: close

User-agent: *
Disallow: ./Distributor/
Disallow: ./ProductDetails.aspx
Report generated by XSS.CX at Thu Apr 21 16:13:16 CDT 2011.