lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041115025337.6416.qmail@www.securityfocus.com>
Date: 15 Nov 2004 02:53:37 -0000
From: <chewkeong@...urity.org.sg>
To: bugtraq@...urityfocus.com
Subject: Re: 04WebServer Three Vulnerabilities


In-Reply-To: <20041110172001.17019.qmail@....securityfocus.com>

Author has released version 1.50 on 14 Nov 2004, which fixes these vulnerabilities.

See updated SIG^2 Vulnerability Research Advisory
http://www.security.org.sg/vuln/04webserver142.html


>Received: (qmail 9787 invoked from network); 10 Nov 2004 21:29:41 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 10 Nov 2004 21:29:41 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 3223C14370C; Wed, 10 Nov 2004 14:12:48 -0700 (MST)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 20027 invoked from network); 10 Nov 2004 11:05:16 -0000
>Date: 10 Nov 2004 17:20:01 -0000
>Message-ID: <20041110172001.17019.qmail@....securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: "Jérôme" ATHIAS <jerome@...ias.fr>
>To: bugtraq@...urityfocus.com
>Subject: 04WebServer Three Vulnerabilities
>
>
>
>Summary
>
>04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. This advisory documents three vulnerabilities that were found in version 1.42 of 04WebServer. 
>
> 
>Tested System
>
>04WebServer version 1.42 on English Win2K SP4 
>
> 
>Details
>
>04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an easy-to-configure personal HTTP server that supports CGI, SSI, WebDAV and SSL/TLS. This advisory documents three vulnerabilities that were found in version 1.42 of 04WebServer. This includes a XSS vulnerability, lack of character filtering when writing to log file, and potential server restart problem after requesting a DOS device in the URL. 
>
>1. Cross-Site Scripting (XSS) Vulnerability in Default Error Page
>
>When the user requests for a non-existing page from the web server, the default error page Response_default.html will be served out to user. This page displays the user's requested URL without properly escaping HTML special characters. This may be exploited by a malicious user to execute malicious Javascript on the victim's browser, stealing his cookie. The following sample HTTP request demonstrates the XSS vulnerability by displaying a harmless popup dialog box. 
>
>http://[hostname]/&lt;script&gt;alert('XSS');&lt;/script&gt;
>		
>
>
>2. Lack of Character Filtering allows the attacker to Inject Arbitrary Characters into Log File
>
>User's HTTP requests are logged into a text file in the \04WebServer142\Logs directory. The server performs only minimally filtering on the request URL before writing it into the log file. This allows the attacker to inject arbitrary characters into the log file. In particular, it may be possible for the attacker to submit specifically crafted HTTP requests that would create fictious entries in the log. The following HTTP request, when submitted to a vulnerable 04WebServer, will create a fictious log entry. 
>http://[hostname]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
>%b5%82%dc%82%b5%82%bd]%20GET%20/hack
>		
>
>The log entries that are created are shown below. The fake entry is highlighted in red. Note that the : character is filtered and hence, cannot be created correctly in the logs. 
>[22:44:54] <10.0.0.4> (521,715) [ÄwÆ.é.é.é.âtâ@âCâïé.æ.ì.é.é.é.é±] GET /a
>[22;45;24] <192.168.1.3> (74,632) [É.Å.é.ÅIù.é.é.é.é.] GET /hack
>		
>
>
>3. Requesting COM2 or other DOS devices in the URL may prevent the Server from restarting properly
>
>The attacker may specify the COM2 device in the request URL. This will cause the web server to open a handle to the device. Doing so will prevent the server from restarting properly the next time it needs to be restarted using servercontroller.exe or using Window's Service Control Manager. The following sample HTTP request demonstrates this. If using COM2 doesn't work on your test server, try other DOS devices like COM1, AUX, PRN, etc, until the server managed to "open" a DOS device. 
>http://[hostname]/COM2
>		
>
>The following screen capture shows the log display of servercontrol.exe when COM2 is "opened".
>
> 
>
> 
>Patch
>
>Author has been notified of this advisory by email, but has not released any fixes. 
>
> 
>Disclosure Timeline
>
>30 Jul 04 - Vulnerabilites Discovered
>30 Jul 04 - Initial Author Notification (no reply)
>03 Aug 04 - Second Author Notification
>04 Aug 04 - Author Reply (new version will be released by end August)
>25 Oct 04 - Third Author Notification (no reply)
>11 Nov 04 - Public Release
> 
>
>Contacts
>
>For further questions and enquries, email them to the following. 
>Overall-in-charge: Tan Chew Keong 
>
>
>Reference
>
>http://www.security.org.sg/vuln/04webserver142.html
>
>
>Regards to my girl and friends ;p
>Jerome
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ