SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Sambar Server Vendors:   Sambar Technologies
Sambar Server Discloses Script Source Code to Remote Users and Can Be Crashed By Remote Users via Malformed URLs
SecurityTracker Alert ID:  1004084
SecurityTracker URL:  http://securitytracker.com/id/1004084
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2002
Impact:   Denial of service via network, Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.1p
Description:   A vulnerability was reported in Sambar Server in the web server's URL parsing function. A remote user can view the source code of scripts and also crash the web service.

KPMG reported that there is a flaw in the server-side URL parsing function. A remote user could reportedly create a URL that would bypass server-side file parsing and display the source code of scripts on the web server, such as .pl, .jsp, .asp, .stm scripts. A remote user could also apparently request certain DOS-devices to cause the web service to crash.

To exploit this vulnerability, the remote user must access the resource with a suffix of <space><null>. A demonstration exploit URL that would return the source code of the 'environ.pl' Perl script is provided:

http://server/cgi-bin/environ.pl+%00
Impact:   A remote user can view the source code of scripts on the web server. A remote user can cause the web service to crash.
Solution:   The vendor has released a fixed version (5.2b), which is reportedly available at:

http://sambar.dnsaloas.org/win32-preview.tar.gz

On the vendor web page, the vendor indicates that a full beta release will be available shortly.
Vendor URL:  www.sambar.com (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 17 Apr 2002 08:52:27 -0400
Subject:  KPMG-2002012: Sambar Webserver Serverside Fileparse Bypass



--------------------------------------------------------------------

          -=>Sambar Webserver Serverside Fileparse Bypass<=-
                      courtesy of KPMG Denmark

BUG-ID: 2002012
Released: 17th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in the serverside URL parsing could allow a malicious user to
bypass serverside fileparsing and display the sourcecode of scripts.
The same flaw could allow a malicious user to crash the web service.


Vulnerable:
===========
- Sambar Webserver V5.1p on Windows 2000
- Other versions were not tested.


Details:
========
It is possible to bypass the serverside parsing of scripts, such as
.pl, .jsp, .asp, .stm and download the sourcecode. The bypassing also
opens up for a request to certain DOS-devices that the server would
then attempt to access. These ressources used in such requests are
not freed properly and as a result, the web server will eventually
run out of memory and the operating system will kill the web
service.

To bypass the serverside parsing, an attacker would have to access
the ressource with a suffix of <space><null>. There are a lot of
ways to achieve this in eg. Internet Explorer, and an example of
sourcecode exposure could be:

http://server/cgi-bin/environ.pl+%00

which would return the following (perl sourcecode):

read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'});
print< GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'}
PATH_INFO:  $ENV{'PATH_INFO'}
PATH_TRANSLATED:  $ENV{'PATH_TRANSLATED'}
QUERY_STRING:  $ENV{'QUERY_STRING'}
REMOTE_ADDR:  $ENV{'REMOTE_ADDR'}
REMOTE_HOST:  $ENV{'REMOTE_HOST'}
REMOTE_USER:  $ENV{'REMOTE_USER'}
REQUEST_METHOD:  $ENV{'REQUEST_METHOD'}
DOCUMENT_NAME:  $ENV{'DOCUMENT_NAME'}
DOCUMENT_URI:  $ENV{'DOCUMENT_URI'}
SCRIPT_NAME:  $ENV{'SCRIPT_NAME'}
SCRIPT_FILENAME:  $ENV{'SCRIPT_FILENAME'}
SERVER_NAME:  $ENV{'SERVER_NAME'}
SERVER_PORT:  $ENV{'SERVER_PORT'}
SERVER_PROTOCOL:  $ENV{'SERVER_PROTOCOL'}
SERVER_SOFTWARE:  $ENV{'SERVER_SOFTWARE'}
CONTENT_LENGTH:  $ENV{'CONTENT_LENGTH'}
CONTENT:  $CONTENT
END


Vendor URL:
===========
You can visit the vendors webpage here: http://www.sambar.com


Vendor response:
================
The vendor was contacted 3rd of April, 2002. The vendor confirmed the
bug on the same day, and notified us that a patch was being developed.
On the 17th of April, the vendor released a new version that corrects
the issues.


Corrective action:
==================
The vendor has released Version 5.2b, which is available here:
http://sambar.dnsaloas.org/win32-preview.tar.gz


Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC