<<< Date Index >>>     <<< Thread Index >>>

Re: 04WebServer Three Vulnerabilities

In-Reply-To: <20041110172001.17019.qmail@xxxxxxxxxxxxxxxxxxxxx>

Author has released version 1.50 on 14 Nov 2004, which fixes these 
vulnerabilities.

See updated SIG^2 Vulnerability Research Advisory
http://www.security.org.sg/vuln/04webserver142.html


>Received: (qmail 9787 invoked from network); 10 Nov 2004 21:29:41 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
>(205.206.231.26)
>  by mail.securityfocus.com with SMTP; 10 Nov 2004 21:29:41 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 3223C14370C; Wed, 10 Nov 2004 14:12:48 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 20027 invoked from network); 10 Nov 2004 11:05:16 -0000
>Date: 10 Nov 2004 17:20:01 -0000
>Message-ID: <20041110172001.17019.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: "Jérôme" ATHIAS <jerome@xxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: 04WebServer Three Vulnerabilities
>
>
>
>Summary
>
>04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It 
>is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV 
>and SSL/TLS. This advisory documents three vulnerabilities that were found in 
>version 1.42 of 04WebServer. 
>
> 
>Tested System
>
>04WebServer version 1.42 on English Win2K SP4 
>
> 
>Details
>
>04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It 
>is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV 
>and SSL/TLS. This advisory documents three vulnerabilities that were found in 
>version 1.42 of 04WebServer. This includes a XSS vulnerability, lack of 
>character filtering when writing to log file, and potential server restart 
>problem after requesting a DOS device in the URL. 
>
>1. Cross-Site Scripting (XSS) Vulnerability in Default Error Page
>
>When the user requests for a non-existing page from the web server, the 
>default error page Response_default.html will be served out to user. This page 
>displays the user's requested URL without properly escaping HTML special 
>characters. This may be exploited by a malicious user to execute malicious 
>Javascript on the victim's browser, stealing his cookie. The following sample 
>HTTP request demonstrates the XSS vulnerability by displaying a harmless popup 
>dialog box. 
>
>http://[hostname]/&lt;script&gt;alert('XSS');&lt;/script&gt;
>               
>
>
>2. Lack of Character Filtering allows the attacker to Inject Arbitrary 
>Characters into Log File
>
>User's HTTP requests are logged into a text file in the \04WebServer142\Logs 
>directory. The server performs only minimally filtering on the request URL 
>before writing it into the log file. This allows the attacker to inject 
>arbitrary characters into the log file. In particular, it may be possible for 
>the attacker to submit specifically crafted HTTP requests that would create 
>fictious entries in the log. The following HTTP request, when submitted to a 
>vulnerable 04WebServer, will create a fictious log entry. 
>http://[hostname]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
>%b5%82%dc%82%b5%82%bd]%20GET%20/hack
>               
>
>The log entries that are created are shown below. The fake entry is 
>highlighted in red. Note that the : character is filtered and hence, cannot be 
>created correctly in the logs. 
>[22:44:54] <10.0.0.4> (521,715) [ÄwÆ.é.é.é.âtâ@âCâïé.æ.ì.é.é.é.é±] GET /a
>[22;45;24] <192.168.1.3> (74,632) [É.Å.é.ÅIù.é.é.é.é.] GET /hack
>               
>
>
>3. Requesting COM2 or other DOS devices in the URL may prevent the Server from 
>restarting properly
>
>The attacker may specify the COM2 device in the request URL. This will cause 
>the web server to open a handle to the device. Doing so will prevent the 
>server from restarting properly the next time it needs to be restarted using 
>servercontroller.exe or using Window's Service Control Manager. The following 
>sample HTTP request demonstrates this. If using COM2 doesn't work on your test 
>server, try other DOS devices like COM1, AUX, PRN, etc, until the server 
>managed to "open" a DOS device. 
>http://[hostname]/COM2
>               
>
>The following screen capture shows the log display of servercontrol.exe when 
>COM2 is "opened".
>
> 
>
> 
>Patch
>
>Author has been notified of this advisory by email, but has not released any 
>fixes. 
>
> 
>Disclosure Timeline
>
>30 Jul 04 - Vulnerabilites Discovered
>30 Jul 04 - Initial Author Notification (no reply)
>03 Aug 04 - Second Author Notification
>04 Aug 04 - Author Reply (new version will be released by end August)
>25 Oct 04 - Third Author Notification (no reply)
>11 Nov 04 - Public Release
> 
>
>Contacts
>
>For further questions and enquries, email them to the following. 
>Overall-in-charge: Tan Chew Keong 
>
>
>Reference
>
>http://www.security.org.sg/vuln/04webserver142.html
>
>
>Regards to my girl and friends ;p
>Jerome
>