guardadv.db4web.txt

`Guardeonic Solutions AG (www.guardeonic.com)  
  
Security Advisory #01-2002  
  
Advisory Name: DB4Web (R) File Disclosure  
Release Date: 09/17/02  
Affected Product: DB4Web (R) Application Server  
Platform: Linux, *nix, MS Windows  
Version: Unknown  
  
Severity: A DB4Web component allows files on the server to be  
downloaded  
  
Author: Stefan Bagdohn <[email protected]>  
<[email protected]>   
  
Vendor Communication: 08/29/02 Initial Notification via email to   
[email protected],   
cc: [email protected]  
08/30/02 Got vendor receipt via phone  
09/02/02 Phone call by vendor regarding details  
09/09/02 Second email to vendor asking for patch  
status information  
09/16/02 Phone call and email from vendor,  
Update/Patch available  
  
Overview:  
  
(From vendors website): "DB4Web, Your Application Server for high performance  
and secure Web-Applications with access to various data sources"  
...  
"DB4Web (R) is a high-performance application server that makes available a  
multitude of data sources on the Web. This means that you can simultaneously  
read from and write to relational databases and a multitude of other  
information sources and applications through Intranet or the Internet."  
(end of vendor citation)  
  
The DB4Web (R) application can be misused to view (resp. download) files  
located on the server by sending special http requests.  
  
Decription:  
  
A DB4Web (R) server accessed with a webbrowser usually requests local or remote  
databases to generate dynamic html pages. By requesting malicious URLs one can  
manipulate the server application to disclose files located on the server  
system. The browser will download them and (according to the mime-type) show  
them directly within the browser window.  
The db4web_c binary (on Unix/Linux systems) or db4web_c.exe binary (on   
MS Windows) is located within the cgi-bin (scripts) directory of the  
webserver on the DB4Web (R) system. This binary executes the database query  
and is accessibly by the clients webbrowser.  
  
Example:  
  
On MS Windows systems the URL to retrieve the boot.ini file would  
look like:  
http://db4web.server.system/scripts/db4web_c.exe/dbdirname/c%3A%5Cboot.ini  
  
On Linux/Unix servers the following URL will show /etc/hosts:  
http://db4web.server.system/cgi-bin/db4web_c/dbdirname//etc/hosts  
  
In the above examples db4web.server.system means the Name or IP address of  
the server, dbdirname ist the name of the local database directory and   
%3A%5C is the representation of :\ needed to access c:\boot.ini.  
  
One can also download files, cmd.exe for example, by requesting  
c%3A%5Cwinnt%5Csystem32%5Ccmd.exe.  
  
Solution:  
  
The DB4Web team provided an update of their software and notified their  
customers about the problem. The patches can be found at:  
http://www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html  
  
Credit:  
  
Thanks to the DB4Web team for good cooperation and fast response!  
  
(more to come...)  
EOF  
  
`