Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » KPMG-2002012: Sambar Webserver Fileparse Bypass

KPMG-2002012: Sambar Webserver Fileparse Bypass

by Nikola Strahija on April 18th, 2002 A flaw in the serverside URL parsing could allow a malicious user to bypass serverside fileparsing and display the sourcecode of scripts. The same flaw could allow a malicious user to crash the web service.


--------------------------------------------------------------------

-=>Sambar Webserver Serverside Fileparse Bypass<=-
courtesy of KPMG Denmark

BUG-ID: 2002012
Released: 17th Apr 2002
--------------------------------------------------------------------
Problem:
========
A flaw in the serverside URL parsing could allow a malicious user to
bypass serverside fileparsing and display the sourcecode of scripts.
The same flaw could allow a malicious user to crash the web service.


Vulnerable:
===========
- Sambar Webserver V5.1p on Windows 2000
- Other versions were not tested.


Details:
========
It is possible to bypass the serverside parsing of scripts, such as
.pl, .jsp, .asp, .stm and download the sourcecode. The bypassing also
opens up for a request to certain DOS-devices that the server would
then attempt to access. These ressources used in such requests are
not freed properly and as a result, the web server will eventually
run out of memory and the operating system will kill the web
service.

To bypass the serverside parsing, an attacker would have to access
the ressource with a suffix of <space><null>. There are a lot of
ways to achieve this in eg. Internet Explorer, and an example of
sourcecode exposure could be:

http://server/cgi-bin/environ.pl+%00

which would return the following (perl sourcecode):

read(STDIN, $CONTENT, $ENV{'CONTENT_LENGTH'});
print < GATEWAY_INTERFACE: $ENV{'GATEWAY_INTERFACE'}
PATH_INFO: $ENV{'PATH_INFO'}
PATH_TRANSLATED: $ENV{'PATH_TRANSLATED'}
QUERY_STRING: $ENV{'QUERY_STRING'}
REMOTE_ADDR: $ENV{'REMOTE_ADDR'}
REMOTE_HOST: $ENV{'REMOTE_HOST'}
REMOTE_USER: $ENV{'REMOTE_USER'}
REQUEST_METHOD: $ENV{'REQUEST_METHOD'}
DOCUMENT_NAME: $ENV{'DOCUMENT_NAME'}
DOCUMENT_URI: $ENV{'DOCUMENT_URI'}
SCRIPT_NAME: $ENV{'SCRIPT_NAME'}
SCRIPT_FILENAME: $ENV{'SCRIPT_FILENAME'}
SERVER_NAME: $ENV{'SERVER_NAME'}
SERVER_PORT: $ENV{'SERVER_PORT'}
SERVER_PROTOCOL: $ENV{'SERVER_PROTOCOL'}
SERVER_SOFTWARE: $ENV{'SERVER_SOFTWARE'}
CONTENT_LENGTH: $ENV{'CONTENT_LENGTH'}
CONTENT: $CONTENT
END


Vendor URL:
===========
You can visit the vendors webpage here: http://www.sambar.com


Vendor response:
================
The vendor was contacted 3rd of April, 2002. The vendor confirmed the
bug on the same day, and notified us that a patch was being developed.
On the 17th of April, the vendor released a new version that corrects
the issues.


Corrective action:
==================
The vendor has released Version 5.2b, which is available here:
http://sambar.dnsaloas.org/win32-preview.tar.gz


Author: Peter Gründl ([email protected])

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »