[NT] Gattaca Server Vulnerable to Multiple vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 07/13/03

  • Next message: SecuriTeam: "[NT] ASP-DEV Discussion Forum Information Disclosure" 
    To: list@securiteam.com
Date: 13 Jul 2003 15:58:41 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      Gattaca Server Vulnerable to Multiple vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.gattaca-server.com/> Gattaca Server is "A high performance
    Windows NT based Mail and Web Server software for building own intranet".

    DETAILS

    Directory Content Disclosure:
    By sending a GET with two slashes ("//"), the server will display the
    directory's content instead of the default web page.

    Example:
    http://[target]//

    Denial of Service:
    A security vulnerability in the server allows remote and local attackers
    to cause the server to crash by issuing a specific command (LLIST) with a
    buffer that exceeds 1048 bytes.

    $> LLIST AAAA...[1024]...AAAA

    Directory Traversal:
    Due to incorrect filtering of user provided data, a remote attacker can
    cause the server to return the content of files that reside outside the
    HTML's bounding path.

    http://[target]/view.tmpl?testfile=../../winnt/win.ini

    Cross Site Scripting:
    Due to incorrect filtering of user provided data, a remote attacker can
    cause the product to return malicious HTML/JavaScript as if it were the
    web server data.

    http://[target]/view2.tmpl?text=[hostile_code]

    The hostile code could be :
    [script]alert("Cookie="+document.cookie)[/script]

    Vendor response(s) and Workarounds:
    Directory Content Disclosure:
    There are two ways to prevent this issue:

    1) Open in notepad the following file %systemroot%\gattaca.ini, in it find
    the following section:
     ====================================
    [GATTACA]
    PATH=C:\GeeOSPub
    ENVIRONMENT=C:\GeeOSPub\wwwroot\.config
    SITE=C:\GeeOSPub\wwwroot\.config
     ====================================

    The last two strings can be removed. The new configuration settings will
    be incorporated into the Gattaca Server within 15 seconds.

    2) You can alternatively update the C:\GeeOSPub\wwwroot\.config file.
    Replace the following:
     =====================
    [HTTPFOLDER]
    /=1
     =====================

    With:
     =====================
    [HTTPFOLDER]
    /=0
     =====================

    Directory Traversal:
    Workaround:
    Remove the view.tmpl file.

    Cross Site Scripting:
    Vendor response:
    The script is supposed to allow insertion of HTML/JavaScript, therefore at
    the moment they do not perceive it as a vulnerability, and are not
    planning on fixing it.

    Disclosure timeline:
    08/07/2003 Vulnerability discovered
    08/07/2003 Vendor notified
    09/07/2003 Vendor response
    09/07/2003 Security Corporation clients notified
    09/07/2003 Started e-mail discussions
    10/07/2003 Last e-mail received
    10/07/2003 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:gregory.lebras@security-corporation.com> Gregory Le Bras.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] ASP-DEV Discussion Forum Information Disclosure"

    Relevant Pages