SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   WebSite Pro Vendors:   Deerfield.com
Deerfield WebSite Pro Windows-based Web Server May Disclose CGI Source Code to Remote Users in Certain Cases
SecurityTracker Alert ID:  1004350
SecurityTracker URL:  http://securitytracker.com/id/1004350
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 22 2002
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.1.11.0
Description:   An information disclosure vulnerability was reported in Deerfield's WebSite Pro web server. A remote user may be able to view the source code of CGI scripts on the server under certain conditions.

It is reported that a remote user can, under certain situations described below, cause the server to display an unparsed server side script.

As described in the report, the Microsoft Windows operating system will store long file names in DOS 8.3 format. The WebSite Pro web server fails to properly identify and launch the relevant application based on the file extension when a file is requested in its alternate (short) 8.3 format. Instead, the web server may use the default handler and display the source of the CGI script when the following cases are met:

- When a scripting extension name is 4 or more characters long (e.g., jhtml/jhtm and shtml/shtm).

- When the trimmed (short 8.3) extension (jht and sht) is not associated with the proper handler or with any handler.

- When the requested script name (excluding the extension) is longer than 2 characters.

Impact:   In certain situations (described in the "Description" section), a remote user may be able to view the source code of CGI scripts on the server.
Solution:   The vendor has released a fixed version (3.1.13.0), available at:

http://www.deerfield.com/download/website/

The authors of the report have also provided the following workarounds:

"1. On NTFS (32-bit), you can disable the creation of the 8.3-compliant short file name for files with long file names by enabling (setting to 1) the "NtfsDisable8dot3NameCreation" registry key (registry path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\). However, this step may cause compatibility problems with 16-bit applications.

2. Associate the 8.3 format of the file extension with the same handler as the original file extension, e.g. if the extension in use is .jhtml, you should associate .jht with the same handler."

Vendor URL:  www.deerfield.com/products/website/ (Links to External Site)
Cause:   Exception handling error, State error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows 2000

Message History:   None.


 Source Message Contents

Subject:  Multiple vendors web server source code disclosure (8.3 name form


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_000_01C1FF0A.072B65C8
Content-Type: text/plain;
	charset="iso-8859-1"

////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////


----------------------------------------------------------------------------
-
Multiple vendors web server source code disclosure 
(8.3 name format vulnerability - Take II)
----------------------------------------------------------------------------

=> Author: Ory Segal & Amit Klein - Sanctum inc. http://www.sanctuminc.com

=> Release date: 19/5/2002 (vendor was notified on 9/5/2002)

=> Vendor: General

The following servers where found to be vulnerable: 

  - Deerfield Website Pro 3.1.11.0 installed on 
    Microsoft Win2K (SP2).

  - Other web servers were found to be vulnerable to this problem,
    but we did not yet verify the vulnerability to our full satisfaction.

=> Severity: Medium/High

=> CVE candidate: Not assigned yet.

=> Summary: Several web servers that support requests of files in their 8.3 
format name can be tricked (under certain configurations) to present an
unparsed 
server side script, whose file name is at least 3 characters long and whose
file 
extension is at least 4 characters long (e.g. foo.jhtml)

=> Description: On Windows platforms, each "long file name" (file name which
is 
not in DOS 8.3 format) has a "short file name" (in DOS 8.3 format) alternate

name. For example, "longfilename.txt" (which is not in DOS 8.3 format) has
an 
alternate file name "longfi~1.txt", and "name.jumbo" has an alternate file
name 
"name~1.jum". The short file name is basically formed by taking the name
part of 
the file name (all characters up to the extension), trimming it to 6
characters 
if necessary, and appending "~1" to it, and then trimming the extension to 3

characters if necessary. If there is already a file with that same
(alternate) 
name in the directory, then the number (after the "~") is incremented until
a 
free name is found. This scheme has one exception - if the name part is 1-2 
characters long, then a different algorithm is used to produce the name
part.

Web servers typically associate a handler to a resource according to its 
extension. And typically when no handler is associated with a particular 
extension, a default handler is used which returns the raw file.

Some (vulnerable) web servers, running on Windows platforms, fail to
identify 
resources, which are requested in their alternate 8.3 format as such, and
will 
simply try to serve these files in the standard manner. This means that the 
handler associated with the extension is invoked, and the file is served
through 
this handler (other, non-vulnerable web servers refuse to serve files in the

alternate 8.3 format). This has a severe security impact in 
the following configuration:

- a scripting extension name is 4 or more characters long (e.g. jhtml/jhtm
and 
shtml/shtm).

- The trimmed extension (jht and sht) is not associated with the proper
handler 
(usually, not associated with any handler).

- The requested script name (excluding the extension) is longer than 2 
characters. For example: hello.jhtml and helloworld.shtml In such case, when

requesting the alternate file name (for the script resource), e.g.
hello~1.jht 
and hellow~1.sht, the vulnerable web server does not identify the resource
name 
as an alternate name for a long file name, and attempts to serve the
resource in 
the standard way. The server first extracts the extension ("jht" and "sht"),

then associate a handler to it (since no handler is defined for "sht" or
"jht" 
the default handler will be used in both cases), and invoke the handler,
which 
returns the file as-is, without running it. This means that the script
source is 
returned to the client, instead of the output of the script 
invocation. 

=> Solution: If you are running Deerfield WebSite Pro 3.1.11.0, upgrade to
version 3.1.13.0, which is available at:
http://www.deerfield.com/download/website/

=> Workaround:

1. On NTFS (32-bit), you can disable the creation of the  8.3-
compliant short  file name for files with long file names by 
enabling  (setting to 1) the  "NtfsDisable8dot3NameCreation"
registry key (registry path: 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSyst
em\). However, this step may cause compatibility problems 
with 16-bit applications.


2. Associate the 8.3 format of the file extension with the
same handler as the original file extension, e.g. if the 
extension in use is .jhtml, you should associate .jht with 
the same handler.


=> Note: The existence of this vulnerability in the aforementioned web
servers 
was discovered by AppScan v3.0 - while running one of its "unknown 
vulnerability" tests. This vulnerability does not exist in any other scanner
and 
is not yet registered in BugTraq or any other security resource.

 <<8.3_Advisory.txt>> 

------_=_NextPart_000_01C1FF0A.072B65C8
Content-Type: text/plain;
	name="8.3_Advisory.txt"
Content-Transfer-Encoding: 8bit            
Content-Disposition: attachment;
	filename="8.3_Advisory.txt"

///////////////////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
///////////////////////////////////////////////////////////////////////


-------------------------------------------------------------------- 
Multiple vendors web server source code disclosure 
(8.3 name format vulnerability - Take II)
--------------------------------------------------------------------

=> Author: Ory Segal & Amit Klein - Sanctum inc. http://www.sanctuminc.com

=> Release date: 19/5/2002 (Vendor was notified on 9/5/2002)

=> Vendor: General

The following servers where found to be vulnerable: 

  - Deerfield Website Pro 3.1.11.0 installed on 
    Microsoft Win2K (SP2).

  - Other web servers were found to be vulnerable to this problem,
    but we did not yet verify the vulnerability to our full satisfaction.

=> Severity: Medium/High

=> CVE candidate: Not assigned yet.

=> Summary: Several web servers that support requests of files in their 8.3 
format name can be tricked (under certain configurations) to present an unparsed 
server side script, whose file name is at least 3 characters long and whose file 
extension is at least 4 characters long (e.g. foo.jhtml)

=> Description: On Windows platforms, each "long file name" (file name which is 
not in DOS 8.3 format) has a "short file name" (in DOS 8.3 format) alternate 
name. For example, "longfilename.txt" (which is not in DOS 8.3 format) has an 
alternate file name "longfi~1.txt", and "name.jumbo" has an alternate file name 
"name~1.jum". The short file name is basically formed by taking the name part of 
the file name (all characters up to the extension), trimming it to 6 characters 
if necessary, and appending "~1" to it, and then trimming the extension to 3 
characters if necessary. If there is already a file with that same (alternate) 
name in the directory, then the number (after the "~") is incremented until a 
free name is found. This scheme has one exception - if the name part is 1-2 
characters long, then a different algorithm is used to produce the name part.

Web servers typically associate a handler to a resource according to its 
extension. And typically when no handler is associated with a particular 
extension, a default handler is used which returns the raw file.

Some (vulnerable) web servers, running on Windows platforms, fail to identify 
resources, which are requested in their alternate 8.3 format as such, and will 
simply try to serve these files in the standard manner. This means that the 
handler associated with the extension is invoked, and the file is served through 
this handler (other, non-vulnerable web servers refuse to serve files in the 
alternate 8.3 format). This has a severe security impact in 
the following configuration:

- a scripting extension name is 4 or more characters long (e.g. jhtml/jhtm and 
shtml/shtm).

- The trimmed extension (jht and sht) is not associated with the proper handler 
(usually, not associated with any handler).

- The requested script name (excluding the extension) is longer than 2 
characters. For example: hello.jhtml and helloworld.shtml In such case, when 
requesting the alternate file name (for the script resource), e.g. hello~1.jht 
and hellow~1.sht, the vulnerable web server does not identify the resource name 
as an alternate name for a long file name, and attempts to serve the resource in 
the standard way. The server first extracts the extension ("jht" and "sht"), 
then associate a handler to it (since no handler is defined for "sht" or "jht" 
the default handler will be used in both cases), and invoke the handler, which 
returns the file as-is, without running it. This means that the script source is 
returned to the client, instead of the output of the script 
invocation. 

=> Solution: If you are running Deerfield WebSite Pro 3.1.11.0, upgrade to
version 3.1.13.0, which is available at: http://www.deerfield.com/download/website/

=> Workaround:

1. On NTFS (32-bit), you can disable the creation of the  8.3-
compliant short  file name for files with long file names by 
enabling  (setting to 1) the  "NtfsDisable8dot3NameCreation"
registry key (registry path: 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSyst
em\). However, this step may cause compatibility problems 
with 16-bit applications.


2. Associate the 8.3 format of the file extension with the
same handler as the original file extension, e.g. if the 
extension in use is .jhtml, you should associate .jht with 
the same handler.


=> Note: The existence of this vulnerability in the aforementioned web servers 
was discovered by AppScan v3.0 - while running one of its "unknown 
vulnerability" tests. This vulnerability does not exist in any other scanner and 
is not yet registered in BugTraq or any other security resource.











------_=_NextPart_000_01C1FF0A.072B65C8--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC