Borland Web Server Input Validation Flaw Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1008840
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 25 2004
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 1.0b3 and prior versions
|
Description: Rafel Ivgi (The-Insider) reported a vulnerability in the Borland Web Server (Corel Paradox web server). A remote user can view files located outside of the web document directory.
It is reported that the web server does not properly validate user-supplied input. A remote user can supply a specially crafted
URL containing directory traversal characters (e.g., '%5c%2e%2e', '../') to view arbitrary files on the target system.
Some demonstration
exploit URLs are provided:
http://[target]/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini
http://[target]/..................../autoexec.bat
|
Impact: A remote user can view files on the target system that are located outside of the web document directory.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.borland.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 24 Jan 2004 20:56:06 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
Subject: BWS v1.0b3 Directory Transversal Vulnerability
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: BWS (Borland Web Server / (Corel Paradox)
Vendors:
http://www.Borland.com
http://www.Corel.com
Corporate mergers confuses the specified vendor.
Versions: <= 1.0b3
Platforms: Windows
Bug: Directory Transversal Vulnerability
Risk: High
Exploitation: remote with browser
Date: 24 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bug
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
BWS is an old web server used as a webserver for "Corel Paradox relational
database web interface".
This server was version was built in year 98, and is mostly running on
win98.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The webserver uses a protection to avoid the directory traversal bug.
"//" is replaced to ""
"\." and "\.." is replaced to ""
"\" is replaced to "/"
"\\" is replaced to "//"
The server is also protected from classic Directory Transversal "/../".
The problem happens when the attacker uses the pattern:
"/..................../"
Or
"/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c" (Encoded version of
"\..\..\..\..\").
Which allows him to see and download any file in the remote system knowing
the path.
This allows any attacker to : Read and download any local file, and in most
cases retrieve the machine's password files and invade it (using
ssh,ftp,http,netbios,samba etc...).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
http://<host>/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini
http://<host>/..................../autoexec.bat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
|
|
