SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   RaidenHTTPD Vendors:   RaidenHTTPD TEAM
RaidenHTTPD Discloses PHP Source Code and Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1013334
SecurityTracker URL:  http://securitytracker.com/id/1013334
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 1 2005
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.1.34
Description:   Tan Chew Keong of SIG^2 reported two vulnerabilities in RaidenHTTPD. A remote user can view the source code of PHP scripts on the target system. A remote user may also be able to execute arbitrary code on the target system.

A remote user can request a specially crafted URL to obtain the source code of PHP scripts on the server.

A remote user can submit a specially crafted HTTP request with a URL that is longer than 524 characters to trigger a buffer overflow and execute arbitrary code. The code will run with Local System privileges.

The vendor was notified on February 22, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/raidenhttpd1132.html

Impact:   A remote user can view the source code of PHP scripts on the target system.

A remote user may be able to execute arbitrary code on the target system with Local System privileges.

Solution:   The vendor has released a fixed version (1.1.34).
Vendor URL:  www.raidenhttpd.com/ (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure


SIG^2 Vulnerability Research Advisory

RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities

by Tan Chew Keong
Release Date: 01 Mar 2005


ADVISORY URL
http://www.security.org.sg/vuln/raidenhttpd1132.html


SUMMARY

RaidenHTTPD Server (http://www.raidenhttpd.com/en/index.html) is a full 
featured web server software for Windows 98 / Me / 2000 / XP / 2003 
platforms. It is easy to use and install, and is designed for anyone who 
wants to have a website running within minutes. A CGI source code 
disclosure vulnerability was found in RaidenHTTPD that may be exploited 
to obtain the source code of any PHP scripts on the server. A buffer 
overflow vulnerability was also found that may be remotely exploited to 
cause DoS and allows arbitrary code execution.


TESTED SYSTEM

RaidenHTTPD Server Version 1.1.32 (Shareware) on English Win2K SP4.


DETAILS

This advisory documents two vulnerabilities found in RaidenHTTPD server. 
The first vulnerability may be remotely exploited to obtain the source 
code of any PHP scripts on the server. The second is a buffer overflow 
vulnerability that may be remotely exploited to cause DoS or to execute 
arbitrary code on the server.


1. CGI source code disclosure vulnerabliity.

RaidenHTTPD supports the use of CGI scripts using PHP or PERL. The 
default installation comes with PHP installed. Using a specially crafted 
URL, it is possible to obtain the source code of any PHP scripts on the 
server.


2. Buffer overflow when processing HTTP requests with long URI.

A buffer overflow condition occurs when RaidenHTTPD receives an URI with 
more than 524 characters in the URI. Successful exploitation allows code 
execution with LOCAL SYSTEM privilege.


PATCH

Vendor has released version 1.1.34 that fixes these vulnerabilities.


DISCLOSURE TIMELINE

20 Feb 05 - Vulnerability Discovered.
22 Feb 05 - Initial Vendor Notification.
22 Feb 05 - Initial Vendor Reply.
22 Feb 05 - Received notification from vendor that fixed version 1.1.34 
is released.
01 Mar 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC