Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:15082
HistoryAug 17, 1999 - 12:00 a.m.

WinWebserver-exploit.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
24
JSON
`http://www.sddt.com/files/library/98/06/25/tbc.html  
  
Source Programmers Discover Internet Server Bug  
  
Daily Transcript Business Report  
  
June 25, 1998  
  
Programmers at San Diego Source, the online news service of the San  
Diego Daily Transcript, have discovered a security hole affecting Web  
server software from both Netscape Communications and software and  
book publisher O'Reilly & Associates.  
  
The bug, allowing for the display of sensitive programming code being  
served by Windows NT and Windows 95 versions of Netscape Enterprise  
and O'Reilly & Associates' WebSite Professional, can be used by  
hackers to glean information considered by programmers to be  
invisible. The bug could allow for easy display of private documents  
featuring database passwords, user names and even programming codes  
that make events occur but are not meant for public perusal.  
  
So far the flaw has been shown to affect only machines running under  
the Windows operating system, but it is not clear if these are the  
only two Web server programs affected.  
  
Netscape Communications, which was notified about the bug via its  
Developer Forum on Friday, has been working with the Daily Transcript  
and is investigating the issue. On Tuesday, when it was discovered  
that WebSite Professional also was vulnerable, O'Reilly & Associates  
was alerted as well.  
  
Before either company had confirmed the bug's existence, Source  
programmers were able to view unprocessed server-side scripts on  
dozens of Web sites, including a server at Berkeley and www.osa.com,  
which belongs to O'Reilly & Associates.  
  
Because publishing specific details about the bug would leave  
countless Web sites vulnerable, the Daily Transcript has agreed not to  
describe exactly how the bug works until both companies have had a  
chance to issue a patch. The bug, however, is similar to a Microsoft  
Internet Information Server glitch that surfaced last year and since  
has been patched  
  
"With that bug, you could tack a period to the end of a file name and  
get the same results that we're seeing here," said Leland Baker, an NT  
administrator and programmer at the Transcript who found the new bug.  
"This was a problem because hackers could look at the contents of  
unprocessed active server pages, which can contain Perl and VBScript  
with sensitive information."  
  
Microsoft scrambled to patch that glitch after CNET published details  
on how to exploit it. The patch was successful, and Microsoft's IIS is  
not vulnerable to the new bug. But a quick visit to a site running a  
third-party program processing active server pages (ASPs) under  
Netscape Enterprise revealed that, once again, the unprocessed  
contents of ASPs can be viewed, so Microsoft's latest patch only  
protects applications running under IIS.  
  
Bob Denny, lead developer for O'Reilly & Associates' WebSite  
Professional project, said the new bug stems from the fact that users  
can pass a file name containing extra characters to the NT/95/98  
operating system. Windows will accept the file name and open a file by  
the same name, except with the trailing characters removed.  
  
"We consider this a serious security problem," Denny said. "The 2.3  
release of WebSite Pro is scheduled imminently (within days). We have  
already implemented a fix for this problem, and the fix will be  
available to our customers in the 2.3 version."  
  
"The bug is dangerous because it doesn't take a hacker to exploit it,"  
said Joseph Schmitt II, a system administrator for San Diego Source  
who helped identify the new glitch. "When virtually any user can visit  
your site and view the source code for an application, which sometimes  
includes vital system information, there's a real security threat.  
This bug may well affect the security of any file accessible via a URL  
address, compiled or otherwise."  
  
Jim Obsitnik, Netscape's Enterprise Server product manager, said  
engineers at Netscape also were able to confirm the bug's existence,  
and he indicated a patch would be issued early next week.  
  
"We've taken a look at it. The bug is a new one, and we're looking for  
the best way to get it out." Obsitnik said.  
  
The fix will also be included with the next point release of  
Enterprise, due to ship in September.  
  
Obsitnik indicated that the bug could leave any server-side script  
vulnerable, including some compiled and uncompiled executable files.  
  
Server-side scripts are a sort of hybrid programming language,  
combining standard HTML tags with tags developed by third-party  
vendors to allow for dynamic content in Web pages. These scripts,  
processed by a program residing on the server rather than by the  
client's browser, commonly are used to integrate the contents of large  
databases with Web pages. The end user sees only the information  
requested, usually based on their input into a search page.  
  
Allaire Cold Fusion, a popular and powerful database integration tool,  
is one such program.  
  
"The bug not only exposes the inner workings of a developer's own  
applications," said Ben Forta, long-time Cold Fusion developer and  
Allaire's product spokesman. "It could also expose highly confidential  
data like network and database login names and passwords."  
  
If hackers can view this information, it may be possible for them to  
alter or even delete data.  
  
While helping Netscape pinpoint which sites were affected, Baker and  
Schmitt discovered that servers running Web Site Professional, a  
popular Web server package from O'Reilly & Associates, also were  
vulnerable.  
  
"I viewed the source of one of their Cold Fusion scripts and then  
e-mailed it to them," Baker said. "The guy I initially talked to there  
was very concerned."  
  
The bug is especially important to developers because entire  
applications -- even entire sites -- are built using Cold Fusion  
markup language (CFML) and ASP.  
  
Cold Fusion ships with a program to encrypt CFML pages, but the  
utility introduces a sometimes difficult layer to the administration  
process.  
  
"A lot of times, developers will encrypt a Cold Fusion application if  
they sell it so that the source code can't be reused or modified,"  
Baker said. "But encrypting an entire site can be difficult to manage.  
Any bug fixes or modifications would have to be made to an unencrypted  
file, moved and re-encrypted. When you're dealing with a large number  
of files, this can seem like a tedious process until you get used to  
it."  
  
San Diego Source, at www.sddt.com, features numerous databases using  
CFML to provide information on commercial leases, home purchases, the  
San Diego Stock Exchange and more. Since discovering the bug, however,  
San Diego Source has taken these extra steps to encrypt every CFML  
script on the site to protect the integrity of the databases.  
_________________________________________________________________  
`
JSON