Hacking PCReservation

by Henry Q. Buther

This article is for informational purposes only.  In no way should this information be used to deface any library that uses this system.

PCReservation is a system used by public libraries to give its customers the ability to make reservations online to use a public computer at the library.

To find out just how many libraries use this system, search for "Web Module for PCReservation" on any major search engine and you'll see.  Unfortunately this system is also very easy to exploit.

First we have our target's main reservation page where people can submit their reservation to use a computer at the library.

This might be: www.myfakelibrary.org/pcres/reserve.pl

From the URL we can see that they store their PCReservation files in the www.myfakelibrary.org/pcres directory (obviously not all sites will store their files in the same location - just look at the reservation page's URL to find the directory).

This directory contains:

cancel.jpg
configure.pl
confirm.jpg
home.jpg
locations.conf
lookup.jpg
pcr.jpg
query.jpg
reserve.conf
reserve.pl

Now obviously the .JPG files are worthless, but let's see about the other files.

Navigating to http://myfakelibrary.org/pcres/configure.pl brings you to a page asking for a password and which options you would like to edit, General Options or Branch Library List.

We'll come back to these two options later.  The question is where do we get that password?

We simply navigate to http://myfakelibrary.org/pcres/reserve.conf which should look something like this:

password=ThEpASsWorD
branch_lbl=Branch Library
home_page=http://www.myfakelibrary.org
library_name=My Fake Public Library
instructions=These are the instructions for people wanting to reserve a PC.
cgi_dir=/
images_dir=/images/pcres
msg_timeout=2.5

We see that the password is: ThEpASsWorD

Now we simply go back to http://myfakelibrary.org/pcres/configure.pl, enter the password, and choose which option we want.

Choosing "General Options" allows you to change everything listed in the reserve.conf file - the password, the library name, the homepage link, the instructions displayed on the main reservation page, the branch label, the CGI directory, the images directory, and the number of seconds before message timeout.

Choosing the "Branch Library List" option brings you to a listing of all library branches and their IP addresses and port numbers.

This listing can also be found in the locations.conf file.

At the bottom of the page you have the option to either add a branch or edit/delete a current branch.  These branches are what the user wanting to reserve a library PC will choose from.

As you can see, taking advantage of this system is very easy to do.  Libraries using this system do not have many options when it comes to security mainly because the file names listed above are the same for all libraries.

Creating an index page in the /pcres/ directory (something which should be done anyway) does prevent the curious from gaining access, but it doesn't keep those who already know the file names from getting in - those who could have easily gotten them from another library with an open directory or those who work for another library.

The purpose of this article is not so people will deface pages that use this system but so that this exploit can be brought to people's attention and hopefully be fixed.

Greets to xspel, CTD, and everyone who helped me put my findings into article form.
Return to $2600 Index