Sambar Server's Web Server Lets Local Users Disclose Files Outside of the Documents Directory
SecurityTracker Alert ID: 1002038|
SecurityTracker URL: http://securitytracker.com/id/1002038
(Links to External Site)
Date: Jul 18 2001
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to 5.0 Beta 6|
The vendor reports that there are several vulnerabilities in the Sambar Server WWW server. One vulnerability allows local users (or remote users with .shtml upload privileges) to disclose the contents of files on the system to remote users. The nature of the other vulnerability was not disclosed.|
The vendor indicates that the web server contains a Server Side Includes (SSI) bug that allows local users to specify the "#include file" functionality to display the contents of files outside the Documents Directory. To trigger this vulnerability, the user must be a local user or must have privileges to upload .shtml files to the server. The local user can insert "../" characters in the #include file directive to cause it to break out of the Documents Directory.
All versions of the Sambar WWW Server prior to 5.0 beta 5 have a second security vulnerability in the pagecount sample code. The nature of this vulnerability was not disclosed.
[Editor's Note: The following older vulnerabilities are described below for completeness but are not formally part of this alert.]
The 4.2 and 4.3 production releases reportedly contain a vulnerability in the netutils sample code. A buffer-overrun exploit can reportedly be used against the "finger" RPC.
The 4.3 production release reportedly contains a vulnerability that can allow a remote user to access .htm and .html files in a directory secured by .htaccess constraints. To trigger this vulnerability, the remote user must know the file name in the secured directory.
A local user can cause files outside of the Documents Directory to be disclosed to remote web users.|
These vulnerabilities will be fixed in 5.0 beta 6. A patch is currently available at the Vendor URL.|
To correct the page code vulnerability, the vendor recommends that users of versions prior to 5.0 beta 5 comment out the following line in config.ini and restart the server to disable the pagecount RPC/scalar:
INIT = samples.dll:general_init
For users of 4.2 or 4.3, the vendor recommends modifying the config.ini and commenting out the following line to disable the network utility sampes:
INIT = samples.dll:netutils_init
Users of the 4.3 production release can use the security.ini file to secure the directories and/or can rename any .htm or .html files in the .htaccess secured directory to .stm. The 4.4 beta 1 release includes a fix for this vulnerability.
Vendor URL: www.sambar.com/ (Links to External Site)
Access control error, Input validation error|
Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Wed, 18 Jul 2001 03:11:36 -0400|
Subject: [NT] Sambar Web Server Allows Execution of Arbitrary Batch Files
parameters, the Restrict Relay IPs is likely unnecessary. A bug fix is
being tested and will be released with the 5.0 beta 6 release in the
WWW Server Security Alert
All versions of the Sambar WWW Server are vulnerable to a SSI bug that
allows users to use the "#include file" functionality to display the
contents of files outside the Documents Directory. This exploit can only
be used by users that have access to upload .shtml files to the server.
This bug will been fixed in the 5.0 Beta 6 release and has been fixed in
the 5.0 Beta 6 preview patch (currently available).
All versions of the Sambar WWW Server with the exception of 5.0 beta 5
and later releases have a security vulnerability associated with the
pagecount sample code. Please immediately comment out the following line
in your config.ini and restart your server (or upgrade to 5.0 beta 5):
INIT = samples.dll:general_init
This will disable the pagecount RPC/scalar. A patch for this bug will be
released during the week of 6/20.
The 4.2 and 4.3 production releases contain a vulnerability in the
netutils sample code shipped with the server. A buffer-overrun exploit
can be used against the "finger" RPC. A fix for this bug is being
prepared and should be available the week of 6/12/2000. In the meantime,
you should modify your config.ini and comment out the line: INIT =
samples.dll:netutils_init. This will disable the network utility samples
and remove this exploit.
In addition, a security hole has been found in the 4.3 production
release that can allow .htm and .html files in a directory secured by
.htaccess constraints to be accessed via browser. To exploit this hole,
a user must know the file name in the secured directory. This hole can
be secured by using the security.ini file to secure the directory and/or
by renaming any .htm or .html files in the .htaccess secured directory
to .stm. The 4.4 beta 1 release includes a fix for this vulnerability.
Many thanks to Melvyn Sopacua and James Wright for bringing this bug to