[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: 04WebServer Three Vulnerabilities
From:       <chewkeong () security ! org ! sg>
Date:       2004-11-15 2:53:37
Message-ID: 20041115025337.6416.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <20041110172001.17019.qmail@www.securityfocus.com>

Author has released version 1.50 on 14 Nov 2004, which fixes these vulnerabilities.

See updated SIG^2 Vulnerability Research Advisory
http://www.security.org.sg/vuln/04webserver142.html


> Received: (qmail 9787 invoked from network); 10 Nov 2004 21:29:41 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) \
> (205.206.231.26) by mail.securityfocus.com with SMTP; 10 Nov 2004 21:29:41 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> 	by outgoing2.securityfocus.com (Postfix) with QMQP
> 	id 3223C14370C; Wed, 10 Nov 2004 14:12:48 -0700 (MST)
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Received: (qmail 20027 invoked from network); 10 Nov 2004 11:05:16 -0000
> Date: 10 Nov 2004 17:20:01 -0000
> Message-ID: <20041110172001.17019.qmail@www.securityfocus.com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: "Jérôme" ATHIAS <jerome@athias.fr>
> To: bugtraq@securityfocus.com
> Subject: 04WebServer Three Vulnerabilities
> 
> 
> 
> Summary
> 
> 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an \
> easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. \
> This advisory documents three vulnerabilities that were found in version 1.42 of \
> 04WebServer.  
> 
> Tested System
> 
> 04WebServer version 1.42 on English Win2K SP4 
> 
> 
> Details
> 
> 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an \
> easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. \
> This advisory documents three vulnerabilities that were found in version 1.42 of \
> 04WebServer. This includes a XSS vulnerability, lack of character filtering when \
> writing to log file, and potential server restart problem after requesting a DOS \
> device in the URL.  
> 1. Cross-Site Scripting (XSS) Vulnerability in Default Error Page
> 
> When the user requests for a non-existing page from the web server, the default \
> error page Response_default.html will be served out to user. This page displays the \
> user's requested URL without properly escaping HTML special characters. This may be \
> exploited by a malicious user to execute malicious Javascript on the victim's \
> browser, stealing his cookie. The following sample HTTP request demonstrates the \
> XSS vulnerability by displaying a harmless popup dialog box.  
> http://[hostname]/&lt;script&gt;alert('XSS');&lt;/script&gt;
> 		
> 
> 
> 2. Lack of Character Filtering allows the attacker to Inject Arbitrary Characters \
> into Log File 
> User's HTTP requests are logged into a text file in the \04WebServer142\Logs \
> directory. The server performs only minimally filtering on the request URL before \
> writing it into the log file. This allows the attacker to inject arbitrary \
> characters into the log file. In particular, it may be possible for the attacker to \
> submit specifically crafted HTTP requests that would create fictious entries in the \
> log. The following HTTP request, when submitted to a vulnerable 04WebServer, will \
> create a fictious log entry.  \
> http://[hostname]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
>  %b5%82%dc%82%b5%82%bd]%20GET%20/hack
> 		
> 
> The log entries that are created are shown below. The fake entry is highlighted in \
> red. Note that the : character is filtered and hence, cannot be created correctly \
> in the logs.  [22:44:54] <10.0.0.4> (521,715) [ÄwÆ.é.é.é.âtâ@âCâïé.æ.ì.é.é.é.é±] \
> GET /a [22;45;24] <192.168.1.3> (74,632) [É.Å.é.ÅIù.é.é.é.é.] GET /hack
> 		
> 
> 
> 3. Requesting COM2 or other DOS devices in the URL may prevent the Server from \
> restarting properly 
> The attacker may specify the COM2 device in the request URL. This will cause the \
> web server to open a handle to the device. Doing so will prevent the server from \
> restarting properly the next time it needs to be restarted using \
> servercontroller.exe or using Window's Service Control Manager. The following \
> sample HTTP request demonstrates this. If using COM2 doesn't work on your test \
> server, try other DOS devices like COM1, AUX, PRN, etc, until the server managed to \
> "open" a DOS device.  http://[hostname]/COM2
> 		
> 
> The following screen capture shows the log display of servercontrol.exe when COM2 \
> is "opened". 
> 
> 
> 
> Patch
> 
> Author has been notified of this advisory by email, but has not released any fixes. \
>  
> 
> Disclosure Timeline
> 
> 30 Jul 04 - Vulnerabilites Discovered
> 30 Jul 04 - Initial Author Notification (no reply)
> 03 Aug 04 - Second Author Notification
> 04 Aug 04 - Author Reply (new version will be released by end August)
> 25 Oct 04 - Third Author Notification (no reply)
> 11 Nov 04 - Public Release
> 
> 
> Contacts
> 
> For further questions and enquries, email them to the following. 
> Overall-in-charge: Tan Chew Keong 
> 
> 
> Reference
> 
> http://www.security.org.sg/vuln/04webserver142.html
> 
> 
> Regards to my girl and friends ;p
> Jerome
> 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic