[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: 04WebServer Three Vulnerabilities
From: <chewkeong () security ! org ! sg>
Date: 2004-11-15 2:53:37
Message-ID: 20041115025337.6416.qmail () www ! securityfocus ! com
[Download RAW message or body]
In-Reply-To: <20041110172001.17019.qmail@www.securityfocus.com>
Author has released version 1.50 on 14 Nov 2004, which fixes these vulnerabilities.
See updated SIG^2 Vulnerability Research Advisory
http://www.security.org.sg/vuln/04webserver142.html
> Received: (qmail 9787 invoked from network); 10 Nov 2004 21:29:41 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) \
> (205.206.231.26) by mail.securityfocus.com with SMTP; 10 Nov 2004 21:29:41 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 3223C14370C; Wed, 10 Nov 2004 14:12:48 -0700 (MST)
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Received: (qmail 20027 invoked from network); 10 Nov 2004 11:05:16 -0000
> Date: 10 Nov 2004 17:20:01 -0000
> Message-ID: <20041110172001.17019.qmail@www.securityfocus.com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: "Jérôme" ATHIAS <jerome@athias.fr>
> To: bugtraq@securityfocus.com
> Subject: 04WebServer Three Vulnerabilities
>
>
>
> Summary
>
> 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an \
> easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. \
> This advisory documents three vulnerabilities that were found in version 1.42 of \
> 04WebServer.
>
> Tested System
>
> 04WebServer version 1.42 on English Win2K SP4
>
>
> Details
>
> 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an \
> easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. \
> This advisory documents three vulnerabilities that were found in version 1.42 of \
> 04WebServer. This includes a XSS vulnerability, lack of character filtering when \
> writing to log file, and potential server restart problem after requesting a DOS \
> device in the URL.
> 1. Cross-Site Scripting (XSS) Vulnerability in Default Error Page
>
> When the user requests for a non-existing page from the web server, the default \
> error page Response_default.html will be served out to user. This page displays the \
> user's requested URL without properly escaping HTML special characters. This may be \
> exploited by a malicious user to execute malicious Javascript on the victim's \
> browser, stealing his cookie. The following sample HTTP request demonstrates the \
> XSS vulnerability by displaying a harmless popup dialog box.
> http://[hostname]/<script>alert('XSS');</script>
>
>
>
> 2. Lack of Character Filtering allows the attacker to Inject Arbitrary Characters \
> into Log File
> User's HTTP requests are logged into a text file in the \04WebServer142\Logs \
> directory. The server performs only minimally filtering on the request URL before \
> writing it into the log file. This allows the attacker to inject arbitrary \
> characters into the log file. In particular, it may be possible for the attacker to \
> submit specifically crafted HTTP requests that would create fictious entries in the \
> log. The following HTTP request, when submitted to a vulnerable 04WebServer, will \
> create a fictious log entry. \
> http://[hostname]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
> %b5%82%dc%82%b5%82%bd]%20GET%20/hack
>
>
> The log entries that are created are shown below. The fake entry is highlighted in \
> red. Note that the : character is filtered and hence, cannot be created correctly \
> in the logs. [22:44:54] <10.0.0.4> (521,715) [ÄwÆ.é.é.é.âtâ@âCâïé.æ.ì.é.é.é.é±] \
> GET /a [22;45;24] <192.168.1.3> (74,632) [É.Å.é.ÅIù.é.é.é.é.] GET /hack
>
>
>
> 3. Requesting COM2 or other DOS devices in the URL may prevent the Server from \
> restarting properly
> The attacker may specify the COM2 device in the request URL. This will cause the \
> web server to open a handle to the device. Doing so will prevent the server from \
> restarting properly the next time it needs to be restarted using \
> servercontroller.exe or using Window's Service Control Manager. The following \
> sample HTTP request demonstrates this. If using COM2 doesn't work on your test \
> server, try other DOS devices like COM1, AUX, PRN, etc, until the server managed to \
> "open" a DOS device. http://[hostname]/COM2
>
>
> The following screen capture shows the log display of servercontrol.exe when COM2 \
> is "opened".
>
>
>
> Patch
>
> Author has been notified of this advisory by email, but has not released any fixes. \
>
>
> Disclosure Timeline
>
> 30 Jul 04 - Vulnerabilites Discovered
> 30 Jul 04 - Initial Author Notification (no reply)
> 03 Aug 04 - Second Author Notification
> 04 Aug 04 - Author Reply (new version will be released by end August)
> 25 Oct 04 - Third Author Notification (no reply)
> 11 Nov 04 - Public Release
>
>
> Contacts
>
> For further questions and enquries, email them to the following.
> Overall-in-charge: Tan Chew Keong
>
>
> Reference
>
> http://www.security.org.sg/vuln/04webserver142.html
>
>
> Regards to my girl and friends ;p
> Jerome
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic