Siemens DB4Web Application Server Discloses Files on the System to Remote Users
SecurityTracker Alert ID: 1005241|
SecurityTracker URL: http://securitytracker.com/id/1005241
(Links to External Site)
Date: Sep 18 2002
Disclosure of system information, Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 3.4, 3.6; possibly other versions|
An input validation and information disclosure vulnerability was reported in Siemens DB4Web application server. A remote user can view files on the server that are located outside of the intended directory.|
Guardeonic Solutions reported that a remote user can request a specially crafted URL to view arbitrary files on the system that are readable by the web server process.
The flaw reported resides in the db4web_c binary (on Unix/Linux systems) and db4web_c.exe binary (on Microsoft Windows systems).
Some demonstration exploit URLs are provided:
A remote user can view files located anywhere on the system that are readable by the web daemon.|
The vendor has released a fix. The patches are available at:|
Vendor URL: www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html (Links to External Site)
Input validation error|
Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)|
Source Message Contents
Date: Tue, 17 Sep 2002 14:44:11 +0200|
Subject: Advisory: File disclosure in DB4Web
There is file disclosure bug in the application DB4Web. Attached you will
find the advisory with technical details and vendors response.
Guardeonic Solutions AG (www.guardeonic.com)
Security Advisory #01-2002
Advisory Name: DB4Web (R) File Disclosure
Release Date: 09/17/02
Affected Product: DB4Web (R) Application Server
Platform: Linux, *nix, MS Windows
Severity: A DB4Web component allows files on the server to be
Author: Stefan Bagdohn <firstname.lastname@example.org>
Vendor Communication: 08/29/02 Initial Notification via email to
08/30/02 Got vendor receipt via phone
09/02/02 Phone call by vendor regarding details
09/09/02 Second email to vendor asking for patch
09/16/02 Phone call and email from vendor,
(From vendors website): "DB4Web, Your Application Server for high performance
and secure Web-Applications with access to various data sources"
"DB4Web (R) is a high-performance application server that makes available a
multitude of data sources on the Web. This means that you can simultaneously
read from and write to relational databases and a multitude of other
information sources and applications through Intranet or the Internet."
(end of vendor citation)
The DB4Web (R) application can be misused to view (resp. download) files
located on the server by sending special http requests.
A DB4Web (R) server accessed with a webbrowser usually requests local or remote
databases to generate dynamic html pages. By requesting malicious URLs one can
manipulate the server application to disclose files located on the server
system. The browser will download them and (according to the mime-type) show
them directly within the browser window.
The db4web_c binary (on Unix/Linux systems) or db4web_c.exe binary (on
MS Windows) is located within the cgi-bin (scripts) directory of the
webserver on the DB4Web (R) system. This binary executes the database query
and is accessibly by the clients webbrowser.
On MS Windows systems the URL to retrieve the boot.ini file would
On Linux/Unix servers the following URL will show /etc/hosts:
In the above examples db4web.server.system means the Name or IP address of
the server, dbdirname ist the name of the local database directory and
%3A%5C is the representation of :\ needed to access c:\boot.ini.
One can also download files, cmd.exe for example, by requesting
The DB4Web team provided an update of their software and notified their
customers about the problem. The patches can be found at:
Thanks to the DB4Web team for good cooperation and fast response!
(more to come...)