SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   XCache Vendors:   XCache Technologies
XCache Web Caching Server Discloses Path Names for Web Documents to Remote Users
SecurityTracker Alert ID:  1002442
SecurityTracker URL:  http://securitytracker.com/id/1002442
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 22 2001
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.1 (current version) for Windows NT and Windows 2000; 2.0 may also be affected
Description:   Information Risk Management Plc. reported a vulnerability in the XCache web page caching server. The server will disclose absolute path names of web server documents when caching is turned off for the document.

It is reported that when XCache caching is turned off for an individual page or for a directory, XCache will return the absolute path name of the document via the HTTP header.

For example, a request for a document that for which caching is turned off (e.g., GET /home/index.html HTTP/1.0) will return the following information via HTTP:

Content-PageName: D:\Inetpub\wwwroot\home\index.html
Server: Microsoft-IIS/5.0 Running XCache Version (2.1.5629.1)

The path name is apparently disclosed in the 'Content-PageName' header response.

In addition, it is reported that if the requested document is located outside of the web root directory (e.g., in the /scripts or /msadc folders), then Xcache will still return the absolute path of the document.

Impact:   A remote user can obtain information about absolute path names for certain files on the web server.
Solution:   The vendor has developed a patch. Customers should contact the vendor via e-mail at:

support@xcache.com.

Vendor URL:  www.xcache.com/home/xcache_xcache_overview.htm (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (NT), Windows (2000)
Underlying OS Comments:  Tested on Windows NT4 Server + Option Pack + SP6a, Windows 2000 Server + SP2

Message History:   None.


 Source Message Contents

Subject:  IRM Security Advisory: Xcache Path Disclosure Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	IRM Security Advisory No. 001

	Xcache Webserver Cache Path Disclosure Vulnerability

	Vulnerablity Type / Importance: Information Leakage / Medium

	Problem discovered: Mon, 17 Sep 2001
	Vendor contacted: Wed, 19 Sep 2001
	Advisory published: Fri, 21 Sep 2001
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Abstract:
~~~~~~~~~

	Xcache webserver accelerator for Windows NT and Windows 2000
reveals absolute pathnames of documents served by the webserver in
the case that caching is turned off for that document.

Description:
~~~~~~~~~~~~

	Xcache (http://www.xcache.com) is an application that runs in
front of the Microsoft IIS webserver (versions 4 and 5) and caches
pages. When a request is made for a particular document, Xcache checks
to see if it holds a cached copy of the document, and returns it if
so, thus reducing the load on the underlying webserver.
	This is most useful for dynamic content, such as .asp scripts.
 However, for some scripts, it is not desirable to hold a cached copy.
 These scripts are most commonly those which are specific to
individual users, such as Shopping Baskets and the like. For this
reason, Xcache provides the functionality to turn off caching for
individual pages, or for entire folders (in which case all pages and
subfolders in the folder will also not be cached).
	When caching is turned off for a document, Xcache returns the
absolute pathname to that document in the HTTP headers. Sample headers
 are below:


[macavity@horus ~/work/research]$ telnet 192.168.0.21 80
Trying 192.168.0.21...
Connected to 192.168.0.21.
Escape character is '^]'.
GET /home/index.html HTTP/1.0

HTTP/1.1 200 OK
Content-PageName: D:\Inetpub\wwwroot\home\index.html
Date: Tue, 18 Sep 2001 16:08:59 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 18 Sep 2001 15:10:48 GMT
ETag: "0ccc3185440c11:925"
Content-Length: 59
Server: Microsoft-IIS/5.0 Running XCache Version (2.1.5629.1)

<HTML>

	<BODY>
		This is a test...
	</BODY>
</HTML>
Connection closed by foreign host.

	   The pathname is revealed as the header 'Content-PageName'
in the server response.

	   As previously mentioned, if a folder has caching disabled,
all documents contained in that folder and its subfolders are also not
 cached, and have their paths given out as above. This applies to
static HTML pages, images and dynamic content such as .asp scripts.

	   This information can be critical to an attacker, as many
webserver vulnerabilities require the attacker to know the webroot, so
 as to be able to provide an appropriate path to an executable such as
 'cmd.exe', or other useful information held outside the root
directory of the webserver.

	   Moreover, if the document requested is held outside the
webroot, for example the /scripts or /msadc folders, then Xcache will
still return the absolute path of the document. In the common case
where the webserver content is held on a drive partition different to
the operating system, this allows an attacker to quickly check which
folders map to directories on the system partition, and hence can help
 access critical OS executables.

	   Hence, while this vulnerability itself does not compromise
the machine, it reveals information that will assist an attacker
greatly in using other exploits, such as the Unicode or Double-decode
vulnerabilities for IIS 5.


Tested Versions:
~~~~~~ ~~~~~~~~~
       Xcache 2.1 (current version) for Windows NT and Windows 2000
       (The authors were not able to obtain any previous versions,
but have found installations of Xcache 2.0 in the wild that appear to
 be vulnerable)

Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
       Windows NT4 Server + Option Pack + SP6a
       Windows 2000 Server + SP2

Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
       The vendor of this product, Xcache Technologies, was
contacted. They were receptive to our report and produced a patch
within 24 hours.

       The patch is not available for public download, but users of
Xcache can obtain it by contacting support@xcache.com.


Workarounds:
~~~~~~~~~~~~
	No workarounds for this vulnerability have been discovered.


Credits:
~~~~~~~~
	Initial vulnerability discovery: B-r00t (br00t@irmplc.com)
	                                 Jacob  (jacob@irmplc.com)
	Testing and Advisory: Macavity (macavity@irmplc.com)
	Thanks: morphsta (morph@irmplc.com)
		Monkfish (monkfish@irmplc.com)
		indig0 (indig0@talk21.com)


Disclaimer:
~~~~~~~~~~~
	All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at
http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc.	http://www.irmplc.com
22 Buckingham Gate			advisories@irmplc.com
London					info@irmplc.com
SW1E 6LB
+44 (0)207 808 6420



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjurNjoACgkQDxTYNSJMcgVB2gCgqONTJls3ct+iCmpg9adwBNdI
N3gAoMBn90UdQvqEg4NgdWMEKxXItSQ/
=mNhO
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC