SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   04WebServer Vendors:   Soft3304
04WebServer Input Validation Holes Let Remote Users Inject Log Entries and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012173
SecurityTracker URL:  http://securitytracker.com/id/1012173
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 11 2004
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.42
Description:   Several vulnerabilities were reported in 04WebServer. A remote user can inject arbitrary characters into the log file. A remote user can conduct cross-site scripting attacks. A remote user may be able to cause denial of service conditions.

Tan Chew Keong of SIG^2 Vulnerability Research reported that the default 404 Not Found response (Response_default.html) does not properly filter HTML code before displaying the originally requested URL. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the 04WebServer software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided:

http://[target]/<script>alert('XSS');</script>

It is also reported that a remote user can inject arbitrary characters into the log file. A remote user can exploit this to inject false log entries. A demonstration exploit URL is provided:

http://[target]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
%b5%82%dc%82%b5%82%bd]%20GET%20/hack

It is also reported that a remote user can request a MS-DOS device name to prevent the server from restarting properly the next time that the administrator attempts to restart the service via the Window's Service Control Manager. A demonstration exploit URL is provided:

http://[target]/COM2

The vendor was notified on July 30, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/04webserver142.html

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the 04WebServer software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can inject arbitrary characters into the log file.

A remote user may be able to prevent the service from being restarted.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.soft3304.net/04WebServer/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 17 2004 Re: 04WebServer Input Validation Holes Let Remote Users Inject Log Entries and Conduct Cross-Site Scripting Attacks
The vendor has issued a fix.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC