Admin.cfg
Admin.cfg is, most of the times, an admin configuration file of some sort. Many different software
obviously use names like “config” or “admin” or “setup”, etc. And most of the times these files contain
sensitive information and thus, shouldn’t be accessible for people browsing the web.
I tried a search for admin.cfg, using the following search string on google:
inurl:admin.cfg “index of”
This led me to many results of which many were useless. But some paid out.
I found for example: http://www.alternetwebdesign.com/cgi-bin/directimi/admin.cfg
Which contained a password. This was the admin password for a database located at
http://www.alternetwebdesign.com/cgi-bin/directimi/database.cgi?admin.cfg
This database contained sensitive client data of this particular company. I then proceeded to e-mail
the company and tell them about the flaw. They replied to me in a very friendly manner and told me
they appreciated my help and that they would take the necessary steps to solve the problem.
Webadmin
A short while back, while working on this article, I ran into this website:
http://wacker-welt.de/webadmin/
The website explains that “webadmin” is a small piece of software that allows one to remotely edit
parts of a website, upload files, etc. The main page for the webadmin control centre is called
‘webeditor.php”. So obviously, my next step was to visit google and use the inurl tag to find
webeditor.php pages that I could reach. I used the following search string:
inurl:webeditor.php
and I found the following results:
http://orbyonline.com/php/webeditor.php
http://www-user.tu-chemnitz.de/~hkri/Neuer%20Ordner/webeditor.php
http://artematrix.org/webeditor/webeditor.php
http://www.directinfo.hu/kapu/webeditor.php
All these webeditor.php files were reachable by anyone, merely because the owners failed to
(correctly) protect these pages by using .htacces. This mistake allows whomever to change the
webpages on the server and thus defacing the site, uploading files and thus possible gaining full
access to the server.
In browsing through these sites I noticed that the file that allows one to upload files is called
“file_upload.php”, which I could then search for at google and find more examples.
http://www.hvcc.edu/~kantopet/ciss_225/examples/begphp/ch10/file_upload.php
All Computer Users To Keep Computer Safe From VIRUS , MALVAR , SPYWEAR , THREAD..
No comments:
Post a Comment
thanx to every one friend to Redears & supporter