COMMAND

    WebTrends Enterprise Reportig Server

SYSTEMS AFFECTED

    WebTrends Enterprise Reportig Server ver 1.5

PROBLEM

    Manos Megagiannis found following.  WebTrends Enterprise  Reportig
    Server  ver  1.5  running  on  Linux  or Solaris has the following
    vulnerabilities:

        1) If the WebTrends Enterprise Reporting Server is running  as
           root.  Due  to file ownership  misconfiguration, it may  be
           possible for local users to gain root privileges.

        2)  WebTrends   Enterprise  Reporting   Server,  logs    debug
           information  in  a  world  readable  and writable file. The
           debug  information  may  include  user-names  and passwords
           stored in clear text.   It may be possible for  local users
           to gain  unauthorized access  to the  server as  well as to
           WebTrends administration  software.   Local users  can also
           modify that file, making the auditing mechanism unsafe.

           If the server is running without PAM, you have to use their
           interface to create new users and set their passwords.   In
           that case, by  default, everything (including  username and
           password)   is   stored   in   clear   text   in  the  file
           "interface.log" with read/write permissions for user, group
           and  other.   Any  local  user  can  read  that  file   and
           therefore, if a WebTrends user has also an shell account on
           the  box  with  the  same  password,  that  account  can be
           compromised.  Also since everybody has write access to that
           file, they can  alter it, so  the auditing purpose  of that
           file is useless.

        3) WebTrends  Enterprise  Reporting  Server,  stores its  user
           information in files with world read/write permissions.  It
           may be possible for local users to gain unauthorized access
           to the WebTrends  administration software, and/or  create a
           denial of service.  All  user information is stored in  the
           directory   "wtm_wtx/datfiles/users"    in    the    format
           "username.usr".   Those  files  are  with owner/group/other
           read/write permissions.   Any local  user, can  decrypt the
           password  or  even  easier  alter/delete  the user file and
           therefore create a denial of service.

        4) WebTrends Enterprise  Reporting Server, stores  its profile
           information in files with world read/write permissions.  It
           may  be  possible  for  local  users  to create a denial of
           service.   How?   Same as  with the  user files all profile
           information is  stored in  "wtm_wtx/datfiles/profiles" with
           owner/group/other read/write permissions.   Any local  user
           can alter/delete  the profile  file and  therefore create a
           denial of service.

        5) On  WebTrends  Enterprise  Reporting  Server,  the  default
           installation has  blank administrator  password.   A remote
           user may be able to gain administrative priviledges to  the
           WebTrends administration software.

    If  a  local  user  has  (or  gains)  uid or gid bin can gain root
    privileges.  The WebTrends  directories with the script  (executed
    as root) are owned by user bin, group bin, and  read/write/execute
    permissions for owner  and group.   Therefore someone can  write a
    simple perl script that will be executed as root.

SOLUTION

    You can run the  server as root or  as some other user.   In order
    to use  PAM (Pluggable  Authentication Module)  it has  to run  as
    root.  Also they have  some entry in the configuration  file, that
    you  specify  what  user  the  front  end will run as, but.... the
    front end just interfaces to the server that runs as  root anyway.
    Therefore you can still do whatever you want.  No proper  solution
    yet.