Developer

Dreamweaver testing scripts can lead to database compromise

Get the details on an important flaw in sites developed with Dreamweaver, as well as some vulnerabilities in Oracle servers, the Mozilla Web browser, and other software.


There is a serious problem with Macromedia Dreamweaver that can compromise critical databases if certain test scripts were left in the software when it was deployed. Since Dreamweaver is often used in developing e-commerce applications, the back door left in the deployed code needs to be removed so that critical data isn't compromised.

Details
An implementation of IIS with Dreamweaver MX and UltraDev 4 development platforms is routinely tested against the associated database(s) by using an ASP script (mmhttpdb.asp), which can be freely accessed by anyone on the development team without a user ID or any password.

Unfortunately, back in March, NGSSoftware.com discovered that this file may be left in the application and on the final Web site, which can give anyone remote access to the database.

Applicability
This affects all versions of:
  • Dreamweaver MX
  • Dreamweaver MX 2004
  • Dreamweaver UltraDev 4

Risk level—critical
The attack isn't trivial but, using some published exploits and hints, a remote attacker can access most or all of the data in the associated database. And, since Dreamweaver is often used to develop commercial e-commerce sites, these types of databases are often likely to contain sensitive information.

Mitigating factors
There are no known mitigating factors, except for the possibility that the offending files have already been manually removed by a security-conscious administrator or developer.

Fix—Delete the scripts
Since the vulnerable ASP script would be found in the mmServerScripts directory (Dreamweaver MX) or mmDBScripts (UltraDev), these directories should always be deleted whenever testing is completed on the site. See the Dreamweaver Security Bulletin MPSB 04-05 Potential Risk in Dreamweaver Remote Database Connectivity for more information.

Final word
If you are managing a Web site developed using Dreamweaver or UltraDev software, you should check to be certain that either the affected development packages weren't used in the programming or, if they were, that the scripts have been properly removed or that other steps have been taken to protect the database.

I would like to point out that NGSSoftware dealt with this responsibly, first notifying Macromedia on March 10, 2004, and then waiting until April 5 to post the notice publicly, several days after Macromedia posted the Security Bulletin addressing this threat on April 2.

Also watch for …
There are multiple, unknown security vulnerabilities in various Oracle products, including:
—Oracle Application Server Web Cache 10g 9.0.4 .0 (+ Oracle Application Server 10g 9.0.4 .0)
—Oracle Oracle9i Application Server Web Cache 2.0 .0.4 (+ Oracle Oracle9i Application Server 1.0.2 .2)
—Oracle Oracle9i Application Server Web Cache 9.0.2 .3
—Oracle Oracle9i Application Server Web Cache 9.0.2 .2 (+ Oracle iStore 11i 11i.IBE.O)
—Oracle Oracle9i Application Server Web Cache 9.0.3 .1.
You can see a report in BugTraq, but these are remotely exploitable threats and, at the time this was written, only some of the server versions had been patched. If you use any of these products, you should probably contact Oracle about this, since there is no information about the precise threat or how serious it might be.

Joshua Wright has released Asleap, a tool that exploits a weakness in Cisco LEAP authentication protocols to expose passwords and more. He worked with Cisco and delayed release for a considerable period until a fix was in place. I mention Asleap so Cisco users are warned that the tool source code is now out there in the wild, and they can use it to test the security of their own installations.

Cisco has advised, "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled. There is no workaround." According to Cisco, this exists in ALL versions of WLSE and HSE. Patches are available for some versions and only for registered users.

There is a report (along with a published exploit) that the free Panda ActiveScan version 5 antivirus software contains a bug that allows an attacker to run arbitrary code on a vulnerable system.

F-Secure Anti-Virus for MIMEsweeper 5.41, 5.42 fails to block Sober.D. The report on Securitytracker.com includes a published exploit.

There is a buffer overrun in the McAfee FreeScan ActiveX control that allows an attacker to run arbitrary code on the vulnerable systems. Again, this report is in Securitytracker.com and, again, it includes exploit code.

In an earlier Locksmith column, I reported (accurately) that the bugs in ISS security software (such as BlackICE) that caused it to fail when attacked by the Witty worm could be fixed only if you had a current maintenance contract. This was the ISS position despite the fact that, if you had originally purchased a legitimate copy, then the bug was in the product you had paid for. ISS has since reversed its position and will make a free patch available to anyone, but only until May 15, 2004.

A BugTraq report about the Mozilla Web browser indicates that the browser has a cross-site scripting vulnerability. Red Hat has released upgrades for the various affected subversions of version 1.4.2. This also affects many Mozilla versions for Mandrake, Mac (both OS and OS X), Windows, Conectiva Linux, Be, Compaq Open VMS, FreeBSD, IBM AIX, Solaris, and perhaps more.


 

Editor's Picks