Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7292
HistoryDec 06, 2004 - 12:00 a.m.

[Full-Disclosure] Multiple vulnerabilities in w3who ISAPI DLL

2004-12-0600:00:00
vulners.com
12
JSON
                         Exaprobe
                     www.exaprobe.com

                     Security Advisory

Advisory Name: Multiple vulnerabilities in w3who
Release Date: 6 December 2004
Application: Microsoft ISAPI extension w3who.dll
Platform: Windows 2000/XP Resource Kit
Severity: Remote code execution
Author: Nicolas Gregoire <[email protected]>
Vendor Status: Affected code is no more available
CVE Candidates: CAN-2004-1133 and CAN-2004-1135
Reference: www.exaprobe.com/labs/advisories/esa-2004-1206.html

Overview :

>From the Windows 2000 Resource Kit documentation :

"W3Who is an Internet Server Application Programming Interface
(ISAPI) application dynamic-link library (DLL) that works within
a Web page to display information about the calling context of
the client browser and the configuration of the host server."

Details :

There're two basic XSS vulnerabilities, and an easily exploitable
buffer-overflow.

XSS vulnerability when displaying HTTP headers :
Connection: keep-alive<script>alert("Hello")</script>

XSS vulnerability in error message :
/scripts/w3who.dll?bogus=<script>alert("Hello")</script>

Buffer overflow when called with long parameters :
/scripts/w3who.dll?AAAAAAAAA…[519 to 12571]…AAAAAAAAAAAAA

Vendor Response :

After notification by Exaprobe, Microsoft choosed to remove
the web download of this component and do not have any plans
to issue an updated version.

Recommendation :

Restrict access to the DLL.
Do not use it on production servers.

Related code :

Thanks to HD Moore, a Metasploit plugin will be integrated in the
upcoming release of the Metasploit Framework.
A NASL script has been sent to Nessus developpers.

CVE Information :

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2004-1133 Cross-site scripting issues in w3who.dll
CAN-2004-1134 Buffer-overflow in w3who.dll


Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
[email protected] ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Related

nessus 2
openvas 2
saint 4
cve 3
checkpoint_advisories 2
packetstorm 3
canvas 1
nessus
nessus
Microsoft W3Who ISAPI w3who.dll Multiple Remote Vulnerabilities
2004-12-06 00:00:00
WS_FTP Server Multiple Command Remote Overflow DoS
2004-11-30 00:00:00
openvas
openvas
w3who.dll overflow and XSS
2005-11-03 00:00:00
w3who.dll Buffer Overflow / XSS Vulnerability - Active Check
2005-11-03 00:00:00
saint
saint
WS_FTP MKD command buffer overflow
2006-03-10 00:00:00
WS_FTP MKD command buffer overflow
2006-03-10 00:00:00
WS_FTP MKD command buffer overflow
2006-03-10 00:00:00
cve
cve
CVE-2004-1135
2005-01-10 05:00:00
CVE-2004-1133
2005-01-10 05:00:00
CVE-2004-1134
2005-01-10 05:00:00
checkpoint_advisories
checkpoint_advisories
Ipswitch WS_FTP Server Commands Buffer Overflow Denial of Service (CVE-2004-1135)
2009-11-30 00:00:00
Microsoft ISAPI W3Who Library Buffer Overflow (CVE-2004-1134)
2010-02-18 00:00:00
packetstorm
packetstorm
iis_w3who_overflow.pm
2005-01-12 00:00:00
Microsoft IIS ISAPI w3who.dll Query String Overflow
2009-11-26 00:00:00
WS-FTP Server 5.03 MKD Overflow
2009-11-26 00:00:00
canvas
canvas
Immunity Canvas: W3WHO
2005-01-10 05:00:00
JSON
Related for SECURITYVULNS:DOC:7292
nessus2openvas2saint4cve3checkpoint_advisories2packetstorm3canvas1