Sambar Server search CGI vulnerability

2000-09-18T00:00:00
ID SECURITYVULNS:DOC:686
Type securityvulns
Reporter Securityvulns
Modified 2000-09-18T00:00:00

Description

Vulnerable: Sambar Server 4.4 Beta 3 Systems : WinNT, Win95 OSR2, (possibly Linux affected) Product : http://www.sambar.com Discovery : dethy@synnergy.net

Discussion

The Sambar Server comes with a non-caching HTTP proxy server and basic SMTP, POP3, and IMAP4 proxy servers compiled in. Sambar was created to test a three-tier communication infrastructure modeled after the Sybase Open Client/Open Server. Originally developed on a Sun Workstation (UNIX), it was ported to the PC (Windows 32) and licensed for commercial purposes.

Vulnerability

The vulnerability occurs in the search.dll Sambar ISAPI Search shipped with this product. This dynamic link loader does not check on the 'query' parameter that is parsed to the server, therefore by constructing a malformed URL we are able to view the contents of the server, all folders, and files.

Thanks also to USSR Labs (www.ussrback.com) for further testing.

Exploit

All that is needed is a malformed query parameter parsed to the search.dll file.

http://server-running-sambar.com/search.dll?search?query=%00&logic=AND

.. this will reveal the current working directory contents.

http://server-running-sambar.com/search.dll?search?query=/&logic=AND

.. this will reveal the root dir of the server.

Solution

The vendor [ tod@sambar.com ] of Sambar Technologies has been contacted, so wait until a patched version comes out.

Disclaimer

Synnergy Networks may not be held liable for the use and/or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk.

Contact

E-Mail : dethy@synnergy.net Web : http://www.synnergy.net

-- Met vriendelijke groet / Kind regards,

| Guido Bakker <guidob@mainnet.nl> | Network Manager

MainNet BV, http://www.mainnet.nl Phone: +31 (0)20 6133505 Fax: +31 (0)20 6135640