[NT] XCache Web Server Cache Path Disclosure

From: support@securiteam.com
Date: 09/24/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] XCache Web Server Cache Path Disclosure 
Message-Id: <20010924193359.BAB5B138C1@mail.der-keiler.de>
Date: Mon, 24 Sep 2001 21:33:59 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  XCache Web Server Cache Path Disclosure
------------------------------------------------------------------------

SUMMARY

 <http://www.xcache.com> XCache web server accelerator for Windows NT and
Windows 2000 reveals absolute pathnames of documents served by the web
server when caching is turned off for that document.

DETAILS

Vulnerable systems:
XCache version 2.1
XCache version 2.0

XCache is an application that runs in front of the Microsoft IIS web
server (versions 4 and 5) and caches pages. When a request is made for a
particular document, XCache checks to see if it holds a cached copy of the
document, and returns it if so, thus reducing the load on the underlying
web server.

This is most useful for dynamic content, such as .asp scripts. However,
for some scripts, it is not desirable to hold a cached copy. These scripts
are most commonly those that are specific to individual users, such as
Shopping Baskets and the like. For this reason, XCache provides the
functionality to turn off caching for individual pages, or for entire
folders (in which case not all pages and subfolders in the folder will
also be cached).

When caching is turned off for a document, XCache returns the absolute
pathname to that document in the HTTP headers. Sample headers are below:

$ telnet 192.168.0.21 80
Trying 192.168.0.21...
Connected to 192.168.0.21.
Escape character is '^]'.
GET /home/index.html HTTP/1.0

HTTP/1.1 200 OK
Content-PageName: D:\Inetpub\wwwroot\home\index.html
Date: Tue, 18 Sep 2001 16:08:59 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 18 Sep 2001 15:10:48 GMT
ETag: "0ccc3185440c11:925"
Content-Length: 59
Server: Microsoft-IIS/5.0 Running XCache Version (2.1.5629.1)

<HTML>
<BODY>
This is a test...
</BODY>
</HTML>
Connection closed by foreign host.

The pathname is revealed as the header 'Content-PageName' in the server
response.

As previously mentioned, if a folder has caching disabled, all documents
contained in that folder and its subfolders are also not cached, and have
their paths given out as above. This applies to static HTML pages, images,
and dynamic content such as .asp scripts.

This information can be critical to an attacker, as many web server
vulnerabilities require the attacker to know the webroot, to be able to
provide an appropriate path to an executable such as 'cmd.exe', or other
useful information held outside the root directory of the web server.

Moreover, if the document requested is held outside the webroot, for
example the /scripts or /msadc folders, then XCache will still return the
absolute path of the document. In the common case where the web server
content is held on a drive partition different to the operating system,
this allows an attacker to quickly check which folders map to directories
on the system partition, and hence can help access critical OS
executables.

Hence, while this vulnerability itself does not compromise the machine, it
reveals information that will assist an attacker greatly in using other
exploits, such as the Unicode or Double-decode vulnerabilities for IIS 5.

Vendor & patch information:
The vendor of this product, XCache Technologies, was contacted. They were
receptive to the report and produced a patch within 24 hours.

The patch is not available for public download, but users of XCache can
obtain it by contacting support@xcache.com.

Workarounds:
No workarounds for this vulnerability have been reported.

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@irmplc.com>
IRMPLC.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.