Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Remote vulnerabilities in OmniHTTPd

From: <astral () 403-security org>
Date: 26 May 2001 00:00:32 -0000
                        ==>> 403 Security Lab 
<<==
                           www.403-security.org
                        

Advisory ID: 403-05-2001

-------------------------------------------------
Advisory Name: Remote vulnerabilities in OmniHTTPd
Release Date: 26.05.2001
Application: OmniHTTPd
Platform: Tested on Windows2000 only
Author: Astral <astral () 403-security org>
Vendor: www.omnicron.ca
-------------------------------------------------

1. About OmniHTTPd
2. PHP d.o.s.
3. Scripts source disclosure
4. Vendor response
5. Greets


1. About OmniHTTPd


From official web site:

In addition to Standard CGI support, the server
sports advanced features such as Keep-Alive 
connections,
table auto-indexing and server-side includes. For 
maximum
performance, OmniHTTPd is both 32-bit and multi-
threaded

--------------------------------------------------------//

2. PHP d.o.s.

ABSTRACT:


PHP is an open source, server-side, cross-platform, 
HTML
embedded scripting language. PHP is a good 
alternative to
ASP because native support is not limited to servers 
running
IIS on Windows NT. The PHP libraries provide good 
support
for tasks like SQL and LDAP operations.


OmniHTTPd supports PHP scripts but it has two
vulnerabilites. Both are connected with way
OmniHTTPd processes them.


DESCRIPTION:

If malicious user sends lot requests to some existing 
or
non-existing PHP script on web-server
it will consume 100% percent of processor speed. 
Why this
happens ?

Every time you send request for PHP script, 
OmniHTTPd server
starts PHP.exe and then tries to run script
rather then making it memory-resident.

Severity: d.o.s.

---------------------------------------------------------//

3. Scripts source disclosure

DESCRIPTION:
This one is much more dangerous. It allows anyone 
to view
source of scripts. This vulnerability is similar to ones
Microsoft had problems with.

It is possible to make OmniHTTPd 
think .php;.shtml;.pl is
ordinary HTML document. How ?

By adding space UNICODE character which is %20 
OmniHTTPd
will identify any script as HTML file and it will send
script source back to client.

Exploit: GET /somefuckingboringphpscript.php%20%
20 HTTP/1.1
Severity: Disclosure of script source

---------------------------------------------------------//

4. Vendor Response

Vendor didn't response to us ...

5. Greetz
rfp, eEye, Luka, d-R
Previous By Date Next
Previous By Thread Next

Current thread: