Re: 04WebServer Three Vulnerabilities
In-Reply-To: <20041110172001.17019.qmail@xxxxxxxxxxxxxxxxxxxxx>
Author has released version 1.50 on 14 Nov 2004, which fixes these
vulnerabilities.
See updated SIG^2 Vulnerability Research Advisory
http://www.security.org.sg/vuln/04webserver142.html
>Received: (qmail 9787 invoked from network); 10 Nov 2004 21:29:41 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com)
>(205.206.231.26)
> by mail.securityfocus.com with SMTP; 10 Nov 2004 21:29:41 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 3223C14370C; Wed, 10 Nov 2004 14:12:48 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 20027 invoked from network); 10 Nov 2004 11:05:16 -0000
>Date: 10 Nov 2004 17:20:01 -0000
>Message-ID: <20041110172001.17019.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: "Jérôme" ATHIAS <jerome@xxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: 04WebServer Three Vulnerabilities
>
>
>
>Summary
>
>04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It
>is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV
>and SSL/TLS. This advisory documents three vulnerabilities that were found in
>version 1.42 of 04WebServer.
>
>
>Tested System
>
>04WebServer version 1.42 on English Win2K SP4
>
>
>Details
>
>04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It
>is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV
>and SSL/TLS. This advisory documents three vulnerabilities that were found in
>version 1.42 of 04WebServer. This includes a XSS vulnerability, lack of
>character filtering when writing to log file, and potential server restart
>problem after requesting a DOS device in the URL.
>
>1. Cross-Site Scripting (XSS) Vulnerability in Default Error Page
>
>When the user requests for a non-existing page from the web server, the
>default error page Response_default.html will be served out to user. This page
>displays the user's requested URL without properly escaping HTML special
>characters. This may be exploited by a malicious user to execute malicious
>Javascript on the victim's browser, stealing his cookie. The following sample
>HTTP request demonstrates the XSS vulnerability by displaying a harmless popup
>dialog box.
>
>http://[hostname]/<script>alert('XSS');</script>
>
>
>
>2. Lack of Character Filtering allows the attacker to Inject Arbitrary
>Characters into Log File
>
>User's HTTP requests are logged into a text file in the \04WebServer142\Logs
>directory. The server performs only minimally filtering on the request URL
>before writing it into the log file. This allows the attacker to inject
>arbitrary characters into the log file. In particular, it may be possible for
>the attacker to submit specifically crafted HTTP requests that would create
>fictious entries in the log. The following HTTP request, when submitted to a
>vulnerable 04WebServer, will create a fictious log entry.
>http://[hostname]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
>%b5%82%dc%82%b5%82%bd]%20GET%20/hack
>
>
>The log entries that are created are shown below. The fake entry is
>highlighted in red. Note that the : character is filtered and hence, cannot be
>created correctly in the logs.
>[22:44:54] <10.0.0.4> (521,715) [ÄwÆ.é.é.é.âtâ@âCâïé.æ.ì.é.é.é.é±] GET /a
>[22;45;24] <192.168.1.3> (74,632) [É.Å.é.ÅIù.é.é.é.é.] GET /hack
>
>
>
>3. Requesting COM2 or other DOS devices in the URL may prevent the Server from
>restarting properly
>
>The attacker may specify the COM2 device in the request URL. This will cause
>the web server to open a handle to the device. Doing so will prevent the
>server from restarting properly the next time it needs to be restarted using
>servercontroller.exe or using Window's Service Control Manager. The following
>sample HTTP request demonstrates this. If using COM2 doesn't work on your test
>server, try other DOS devices like COM1, AUX, PRN, etc, until the server
>managed to "open" a DOS device.
>http://[hostname]/COM2
>
>
>The following screen capture shows the log display of servercontrol.exe when
>COM2 is "opened".
>
>
>
>
>Patch
>
>Author has been notified of this advisory by email, but has not released any
>fixes.
>
>
>Disclosure Timeline
>
>30 Jul 04 - Vulnerabilites Discovered
>30 Jul 04 - Initial Author Notification (no reply)
>03 Aug 04 - Second Author Notification
>04 Aug 04 - Author Reply (new version will be released by end August)
>25 Oct 04 - Third Author Notification (no reply)
>11 Nov 04 - Public Release
>
>
>Contacts
>
>For further questions and enquries, email them to the following.
>Overall-in-charge: Tan Chew Keong
>
>
>Reference
>
>http://www.security.org.sg/vuln/04webserver142.html
>
>
>Regards to my girl and friends ;p
>Jerome
>