Monday, July 23, 2007

Fox News, Directory Indexing, and FTP Passwords

Update 07.24.2007: Reportedly the ziffdavis FTP account contained the names, phone numbers, and email addresses of at least 1.5 million people. Also, while the details are undisclosed, some XSS and SQLi vulnerabilities have been found in the FOX site. FUN!

A 19 year old photography student (Gordon Lowrey) found that the Fox News website had Directory Indexing enabled (now disabled). Sure it’s not a good practice (against PCI-DSS), but typically not a big deal security wise and it happens occasionally on other major websites. What made this one interesting in the person navigated up the directory tree their way to the /admin/ folder, no password required, where inside was a curious bash shell script thats still available.

#!/usr/local/bin/bash


filedir="/data/fnc01_docs/admin/xml_parser/zdnet"

workdir="/in"

importdir="f93kl"


ftpoptions="-vn"

logname="foxnews_\%1"

logpasswd="T1me\ 0ut"

hostip="ftp.g.ziffdavis.com"

date_string=`date +%y%m%d`


echo "start ftp..."

ftp $ftpoptions $hostip << -EOF-

user $logname $logpasswd

asc

prompt

cd $importdir

mget *$date_string*
close
-EOF-

mv Fox*.xml $filedir$workdir

echo "end ftp..."


It looks like Fox News is taking a feed from zdnet and inside is their FTP username and password. Oops. I’m not certain how much access this account granted, no way I’m testing it, but it certainly doesn’t look good. Maybe this account is used elsewhere, maybe it could write back to zdnet and push content to other outlets. Very bad. Hard to say for sure, but certainly not a headline the Fox News administrators want to wake up to. This also goes to show that not all websites vulnerabilities are in the code and you never know who might give you a free pen-test.

1 comment:

kL said...

Having failed to set up reliable FTP server on my hosts, I've switched to SFTP (rssh-limited) and RSA key authentication, and now I feel like pro! :D