I don't know if it was posted in here.. I did a fast search and didn't see it. This was posted in the CPanel Support Forums.

--------------------------
Am I cracking up or.....
Ok redhat users, try this one on your server:

http://YOURSERVER.COM:7786/../../../../../../../../../etc/passwd

let me know if you see anything strange....

---------------------------
There is more on this, but I don't want to give sneaky peoples more ideas. I would suggest not using Interchange until a patch is made.

what are you running on port 7776 i think it was or just 777 from the post?

and why dose it have access to the /etc/passwd file
evan though that is not /etc/shadow
maybe you should try | and pipeing some commands to it if its a cgi script..

Anthony LaMantia
www.bia-security.com

bahh.. interchange sorry i did not read your post all of the way though, sorry i have had a busy\bad day.

i think i saw a patch for that out a while ago... and what can be more sneaky then grabbing files off a server? lol

"For anyone that did now fully understand what JackDcrack posted, here's step by step instructions..

1. Edit the file '/usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm'

2. Scroll down to around line 754 (you can press CTRL-C in pico to view your position).

3. After the line..

#::logDebug("exiting loop");

..add the line..

+ 0 while $request =~ s|/\.*/|/|g;

After you've added the new line, it should look something like..

#::logDebug("exiting loop");
+ 0 while $request =~ s|/\.*/|/|g;
my $url = new URI::URL $request;
@{$argv} = $url->keywords();

4. Save the file and restart Interchange. Then try to visit http://www.yourserver.com:7786/../../../../../../../../../etc/passwd to see if it worked.
"

Is this a fix that Red hat has come up with?

/sbin/ipchains -A input -s 127.0.0.1 -d 127.0.0.1 7786 -p tcp -y -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 7786 -p tcp -y -j DENY


Running the above should allow interchange to continue to function and prevent people from remotly taking advantage of this hole.

What is the effect after you access http://www.yourserver.com:7786/../...../../etc/passwd ?

http://YOURSERVER.COM:7786/../../....../../etc/passwd

This gave me a download "password.exe" file which, after downloading, is actually a text file.

Stated: /../...../../etc/passwd not a Interchange catalog or help file.

Now this wasn't mentioned, but I do not have Interchange installed (although I do use Cpanel) and to my knowledge, no patches have been installed either.

Am I missing something here?

Originally posted by Website Rob
http://YOURSERVER.COM:7786/../../....../../etc/passwd

This gave me a download "password.exe" file which, after downloading, is actually a text file.

Stated: /../...../../etc/passwd not a Interchange catalog or help file.

Now this wasn't mentioned, but I do not have Interchange installed (although I do use Cpanel) and to my knowledge, no patches have been installed either.

Am I missing something here?

Looks like vBulletin parsed and shortened the URL. Try: http://example.com:7786/../../../../../../etc/passwd

Replace example.com with a domain or IP address from your server of course.

I see, said the blind man. :eek:

Now that I'm with the program, the patchinig needs to be done A.S.A.P!

1upromo, it was asked if your first patch was a solution, but you posted another. Is one better than the other, use them both, or...

Originally posted by Website Rob
I see, said the blind man. :eek:

Now that I'm with the program, the patchinig needs to be done A.S.A.P!

1upromo, it was asked if your first patch was a solution, but you posted another. Is one better than the other, use them both, or...

The ipchains patch is one Nick came up with real quick.

The other patch is one the Interchange group came up with to patch the code.

I have them both on my boxes.

Originally posted by Monte


The other patch is one the Interchange group came up with to patch the code.

I have them both on my boxes.

Feel free to share.

quoted from "itf" from cpanel forums:

Your Interchange is vulnerable
Attention: The provided hack by Kevin Walsh, (SH)Saeed and JackDcrack for Interchange are all vulnerable:

This hack just protects you against this attack:

http://domain.com:7786/../../../../../../etc/passwd

but not these ones:

http://domain.com:7786/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

http://domain.com:7786/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd


I wrote a complete hack to protect you against all kinds of these attacks:

In a Root SSH session: (press CTRL-C in pico to view your position)

1- chmod 644 /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
2- pico /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm
3- After the line 754, add the bold text (do not enter line numbers)

754: #::logDebug("exiting loop" ) ;

755: + 0 while $request =~ s|/[(\.)(%2E)(%2e)]*/|/|g;

756: my $url = new URI::URL $request;
757: @{$argv} = $url->keywords();


4- chmod 444 /usr/local/cpanel/3rdparty/interchange/lib/Vend/Server.pm