lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 1 Mar 2005 11:26:38 -0000
From: <chewkeong@...urity.org.sg>
To: bugtraq@...urityfocus.com
Subject: [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source
    Disclosure Vulnerabilities




SIG^2 Vulnerability Research Advisory

RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities

by Tan Chew Keong
Release Date: 01 Mar 2005


ADVISORY URL
http://www.security.org.sg/vuln/raidenhttpd1132.html


SUMMARY

RaidenHTTPD Server (http://www.raidenhttpd.com/en/index.html) is a full featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms. It is easy to use and install, and is designed for anyone who wants to have a website running within minutes. A CGI source code disclosure vulnerability was found in RaidenHTTPD that may be exploited to obtain the source code of any PHP scripts on the server. A buffer overflow vulnerability was also found that may be remotely exploited to cause DoS and allows arbitrary code execution.

 
TESTED SYSTEM

RaidenHTTPD Server Version 1.1.32 (Shareware) on English Win2K SP4.

 
DETAILS

This advisory documents two vulnerabilities found in RaidenHTTPD server. The first vulnerability may be remotely exploited to obtain the source code of any PHP scripts on the server. The second is a buffer overflow vulnerability that may be remotely exploited to cause DoS or to execute arbitrary code on the server.


1. CGI source code disclosure vulnerabliity.

RaidenHTTPD supports the use of CGI scripts using PHP or PERL. The default installation comes with PHP installed. Using a specially crafted URL, it is possible to obtain the source code of any PHP scripts on the server. 


2. Buffer overflow when processing HTTP requests with long URI.

A buffer overflow condition occurs when RaidenHTTPD receives an URI with more than 524 characters in the URI. Successful exploitation allows code execution with LOCAL SYSTEM privilege.



PATCH

Vendor has released version 1.1.34 that fixes these vulnerabilities.

 
DISCLOSURE TIMELINE

20 Feb 05 - Vulnerability Discovered.
22 Feb 05 - Initial Vendor Notification.
22 Feb 05 - Initial Vendor Reply.
22 Feb 05 - Received notification from vendor that fixed version 1.1.34 is released.
01 Mar 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ