Home page logo
/

bugtraq logo Bugtraq mailing list archives

Zeus Web Server: Null Terminated Strings
From: jmidgley () ZEUSTECHNOLOGY COM (Julian Midgley)
Date: Tue, 8 Feb 2000 12:49:04 +0000


This morning Zeus Technology Limited was informed of a serious security
bug in the Zeus Webserver by 'The Relay Group' (http://relaygroup.com).

This document describes the scope of the problem and its solution.

Versions affected
-----------------

 Zeus 3.1.x / 3.3.x

Severity
--------

High- this bug allows the contents of CGI scripts to be read by a remote
client, if the scripts are run with the CGI module's "allow CGIs
anywhere" option enabled.

It does not affect CGIs run from designated directories (cgi-bins).
Nonetheless, we recommend that all customers upgrade to Zeus 3.3.5a- see
below for further details.

Description
-----------

Requests for URLs which contains the text '%00' are decoded to contain
a null-terminator.  This means that files can be accessed via URLs
that are not access controlled, allowing files that are *inside* the
document root to be retrieved.

For example, if you run a webserver with the 'allow CGI anywhere' option,
and have a Perl CGI script inside the document root accessible as
'http://mysite/script.cgi' then a request for
'http://mysite/script.cgi%00' will cause the webserver to return the Perl
source of the CGI script to the client.

This happens because the mime-type of '.cgi\0' does not map to
'application/x-httpd-cgi', so is instead served by the get module as
'text/plain'.  The webserver will ask the OS for the file
'script.cgi\0\0', and due to the zero-terminated string interface of
Unix, the OS will actually open 'script.cgi\0' instead of returning a
"file-not-found" error.

Problem Solution
----------------

We have fixed the problem in the latest version of Zeus (3.3.5a) now
available for all 14 platforms from our ftp site
ftp://ftp.zeustechnology.com/pub/products/z3.

This version will report itself as '3.3.5a' and also
display today's (8th Feb) date on startup.

Download the distribution for your platform, untar it, and run
'./zinstall --force' and it will seamlessly upgrade your running
server to the fixed release.


--
Julian Midgley                                Tel: +44 1223 525000
Technical Services Manager                    Fax: +44 1223 525100
Zeus Technology Ltd                  http://www.zeustechnology.com
Newton House, Cambridge Business Park, Cambridge. CB4 OWZ. England



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault