COMMAND

    Webdriver

SYSTEMS AFFECTED

    Informix

PROBLEM

    'isno'  posted  following.   Webdriver  is  the  web  interface of
    Informix  database.   He  found  it  vulnerable.   In  the  common
    condition, webdriver  is submitted  with a  parameter, but  if you
    type

        http://victim/cgi-bin/webdriver

    directly, it will return a webpage which you can modify or  delete
    database on it.

    When no  parameters are  passed, the  webdriver uses  the defaults
    found  in  the  web  configuration,  which  is  stored  within the
    'webconfigs'  table  in  v4  web  blade  installations, and in the
    web.cnf file in v3 web blade installations.

    By default, the MIval is set to /default.html, and this page  does
    not even  exist within  the database  when the  web blade is first
    installed, hence will give you a 404.

    Webdriver makes /tmp/.log with  permissions -rw-rw-rw- when it  is
    under Debug running, but it is the default configuration.

SOLUTION

    Web DataBlade  manuals have  a comment  about leaving  the AppPage
    Builder program running on a  production database on page 11-4  of
    the Version 4.0 Administrator's Guide.

        "You should not install AppPage Builder (APB) in a  Production
         Database, since APB is typically only used during development
         and  can  pose  a  security  risk  if present in a production
         database."

    With a proper setup  the above URL would  send you to a  404 Asset
    not found or a company home page or whatever.