websitepro.txt

2000-09-11T00:00:00
ID PACKETSTORM:23038
Type packetstorm
Reporter Crono
Modified 2000-09-11T00:00:00

Description

                                        
                                            `Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>  
From: Crono <crono@THEPENTAGON.COM>  
Subject: WebServer Pro 2.3.7 Vulnerability  
To: BUGTRAQ@SECURITYFOCUS.COM  
  
-- WebSite Pro 2.3.7 Vulnerability --  
  
WebSite Pro is a Web Server for Win95/98/NT plataforms.  
  
The vulnerability (or bad server administration) allow any user  
to create arbitrary files with arbitrary text on the victim machine,  
from  
the Internet Web Browser.  
  
By a default installation any user can create or uploads files to the  
victim machine running a vulnerable version of WebSite Pro. The problem  
is a bad "protection access" of the main directories on the machine.  
  
In a default installation, WebServer Pro, create on him root directory  
the  
next directories readables (by default) from any user:  
  
cgi-win  
cgi-shl  
cgi-src  
cgi-temp  
  
The problem is in the aplication called "uploader.exe" located on  
/cgi-win  
directory. In other versiones of WebSite Pro this directory is unable to  
read from any user, but in these version, WebServer fail when check the  
roots directories and the proper web-html directories.  
  
For example, if we install WebServer Pro in c:\website, WebServer  
create:  
  
c:\website\cgi-win  
c:\website\cgi-shl  
c:\website\cgi-src  
...  
  
with various information and aplications inside.  
  
We must choose a directory for own we web page (by default in  
c:\website\htdocs), but, in these example, we will install we root  
web directory in c:\mywebs\libros, so we have we index.html in  
c:\mywebs\libros\index.html. In these directory only reside the  
web page files, not cgi-win or other cgi directory...  
  
Well, if we connect to the web server using a normal Internet Explorer,  
and  
we try to read a file that not exist in the directory, we find this  
error message:  
  
----------------------------------  
GET www.victim.com/foo  
  
404 Not Found  
  
The requested URL was not found on this server:  
  
/foo  
  
(C:\mywebs\libros\foo)  
----------------------------------  
  
How we can see, WebServer revealed the real path of the webserver.  
(Vulnerability published various mouths ago)  
  
But if we try to access to cgi-win directory, automatically  
and "magically" the  
WebServer redirect us to the real cgi-win directory, located in  
c:\website\cgi-win  
Example:  
  
-----------------------  
  
GET www.victim.com/cgi-win  
  
404 Not Found  
  
The requested URL was not found on this server:  
  
/cgi-win/  
  
(C:\WebSite\cgi-win\)  
------------------------------  
  
How we can see, the WebServer say us that these directory dosn´t  
exist...  
but if we try to ejecute the default aplicacion "uploader.exe" located  
in real cgi-win directory...  
  
---------------------------------  
GET www.victim.com/cgi-win/uploader.exe  
  
WopS! we enter in a cgi web page that allow us to upload any file in  
we machine to the remote machine.  
  
This error in readable directories, is the same for cgi-shl and cgi-src.  
  
In other version, if you define your root directories as  
c:\mywebs\libros  
you cann´t upload to parent directories and cann´t change to cgi-win  
real directory.  
  
  
  
Solution:  
  
Change the permisions of cgi-win and other cgi  
directories, or deleting uploader.exe.  
  
  
I found these bug in WebServer Pro 2.3.7 version, I don´t know if early  
versions are vulnerable too, but in 2.3.3 version, these bug don´t  
exist.  
  
  
Sorry for my english...  
  
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/  
  
Bug found by Crono (Hispano Scene) crono@thepentagon.com  
  
Aprovecho para saludar a la peña de #phreak, #hacker_novatos,  
#hacking, y #hpcv.  
  
24-8-2000 (Spain)  
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/  
  
`