SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sambar Server Vendors:   Sambar Technologies
Sambar Server Contains Multiple Unspecified Vulnerabilities
SecurityTracker Alert ID:  1007819
SecurityTracker URL:  http://securitytracker.com/id/1007819
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 26 2003
Impact:   Not specified
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.0 beta 6
Description:   Several vulnerabilities were reported in Sambar Server. The specific nature of these flaws was not disclosed, but one is reported to be a "significant" vulnerability.

Several security vulnerabilities were reported in Sambar Server.

Unspecified flaws were reported in the following scripts:

/cgi-bin/testcgi.exe
testisa.dll
samples/search.dll
/cgi-bin/environ.pl
/cgi-bin/mortgage.pl
/cgi-bin/book.pl
/cgi-bin/dumpenv.pl

In addition, unspecified flaws were reported in '/samples/*.shtml'

An unspecified but "significant" flaw was reported in the HTTP Proxy server.

David Endler of iDEFENSE is credited with reporting these flaws.

[Editor's note: The vendor's web site provided only limited information about these vulnerabilities. When iDEFENSE releases their advisory, we will update this alert if additional details are available.]

Impact:   The impact was not disclosed.
Solution:   The vendor has released a fixed version (6.0 beta 6 release), to be available shortly at:

http://www.sambar.com/

Vendor URL:  www.sambar.com/security.htm (Links to External Site)
Cause:   Not specified
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.sambar.com/security.htm


Several security vulnerabilities have been reported in Sambar Server.

David Endler of iDEFENSE is credited with reporting these flaws.

The vendor indicates that the flaws have been fixed in the 6.0 beta 6 release.

http://www.sambar.com/security.htm


 > /cgi-bin/testcgi.exe should be removed (shipped in 5.X releases).
 >
 > testisa.dll should be removed (shipped in 5.X releases.)
 >
 > samples/search.dll should be removed (shipped in 5.x releases.)
 >
 > /cgi-bin/environ.pl, /cgi-bin/mortgage.pl, /cgi-bin/book.pl and /cgi-bin/dumpenv.pl
 > should be removed (shipped prior to 6.0 beta 6.)
 >
 > /samples/*.shtml should be removed (shipped prior to 6.0 beta 6.)
 >
 > The auto-execution of .pl CGI scripts can be exploited to attack Windows devices (prior
 > to the 6.0 beta 3). The config.ini parameter Perl Executable should be removed and perl
 > scripts specified using the #! directive at the top of the CGI script.
 >
 > The HTTP Proxy server (prior to 6.0 beta) contains a significant security vulnerability;
 > all 5.x proxy servers should be disabled or you should disallow 127.0.0.1 via a
 > proxydeny entry in the security.ini file.
 >


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC