Xitami Web Server Flaw in Processing Errors May Allow Remote Users to View CGI Source Code
SecurityTracker Alert ID: 1004336|
SecurityTracker URL: http://securitytracker.com/id/1004336
(Links to External Site)
Date: May 21 2002
Disclosure of user information|
Version(s): 2.4d9 and prior versions|
An information disclosure vulnerability was reported in the Xitami Web Server. A remote user may be able to view CGI source code contents on the system.|
SecuriTeam reported that there is an error in Xitami's processing of script errors (including missing interpreters). A remote user could supply a specially crafted URL designed to cause an error to the Xitami web server in order to cause the web server to display the CGI script contents.
No further details were provided.
The vendor has reportedly been notified.
SecuriTeam credits Matthew Murphy with reporting this bug.
A remote user may be able to view CGI source code on the web server.|
No solution was available at the time of this entry.|
Vendor URL: www.xitami.com/ (Links to External Site)
Exception handling error|
|Underlying OS: Linux (Any), OpenVMS, UNIX (Any), Windows (Me), Windows (NT), Windows (95), Windows (98)|
Source Message Contents
Date: Mon, 20 May 2002 00:44:17 -0500|
Subject: [NEWS] Xitami CGI Processing Failure Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Xitami CGI Processing Failure Vulnerability
<http://www.imatix.com/html/xitami/> Xitami is a high-quality portable
free web server. An error in the way Xitami handles script processing
errors (including missing interpreters) could allow an attacker to steal
CGI script contents.
* iMatix Co. Xitami Web Server version 2.4d9 and earlier.
iMatix support was notified 1 month ago, no response has been received.
If your CGI runs as expected, this vulnerability cannot be exploited (i.e.
if no error occurs the CGI's source code is not served).
The information has been provided by <mailto:firstname.lastname@example.org>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
profits or special damages.