Re: 04WebServer Three Vulnerabilities

[<chewkeong () security org sg>]

In-Reply-To: <20041110172001.17019.qmail () www securityfocus com>

Author has released version 1.50 on 14 Nov 2004, which fixes these vulnerabilities.

See updated SIG^2 Vulnerability Research Advisory
http://www.security.org.sg/vuln/04webserver142.html


> Received: (qmail 9787 invoked from network); 10 Nov 2004 21:29:41 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 10 Nov 2004 21:29:41 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 3223C14370C; Wed, 10 Nov 2004 14:12:48 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 20027 invoked from network); 10 Nov 2004 11:05:16 -0000
> Date: 10 Nov 2004 17:20:01 -0000
> Message-ID: <20041110172001.17019.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: "Jérôme" ATHIAS <jerome () athias fr>
> To: bugtraq () securityfocus com
> Subject: 04WebServer Three Vulnerabilities
>
>
>
> Summary
>
> 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an easy-to-configure personal HTTP 
> server that supports CGI, SSI, WebDAV and SSL/TLS. This advisory documents three vulnerabilities that were found in 
> version 1.42 of 04WebServer. 
>
>
> Tested System
>
> 04WebServer version 1.42 on English Win2K SP4 
>
>
> Details
>
> 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. It is an easy-to-configure personal HTTP 
> server that supports CGI, SSI, WebDAV and SSL/TLS. This advisory documents three vulnerabilities that were found in 
> version 1.42 of 04WebServer. This includes a XSS vulnerability, lack of character filtering when writing to log file, 
> and potential server restart problem after requesting a DOS device in the URL. 
>
> 1. Cross-Site Scripting (XSS) Vulnerability in Default Error Page
>
> When the user requests for a non-existing page from the web server, the default error page Response_default.html will 
> be served out to user. This page displays the user's requested URL without properly escaping HTML special characters. 
> This may be exploited by a malicious user to execute malicious Javascript on the victim's browser, stealing his 
> cookie. The following sample HTTP request demonstrates the XSS vulnerability by displaying a harmless popup dialog 
> box. 
>
> http://[hostname]/&lt;script&gt;alert('XSS');&lt;/script&gt;
>               
>
>
> 2. Lack of Character Filtering allows the attacker to Inject Arbitrary Characters into Log File
>
> User's HTTP requests are logged into a text file in the \04WebServer142\Logs directory. The server performs only 
> minimally filtering on the request URL before writing it into the log file. This allows the attacker to inject 
> arbitrary characters into the log file. In particular, it may be possible for the attacker to submit specifically 
> crafted HTTP requests that would create fictious entries in the log. The following HTTP request, when submitted to a 
> vulnerable 04WebServer, will create a fictious log entry. 
> http://[hostname]/a%0a[22;45;24]%20<192.168.1.3>%20(74,632)%20[%90%b3%8f%ed%82%c9%8f%49%97%b9%82
> %b5%82%dc%82%b5%82%bd]%20GET%20/hack
>               
>
> The log entries that are created are shown below. The fake entry is highlighted in red. Note that the : character is 
> filtered and hence, cannot be created correctly in the logs. 
> [22:44:54] <10.0.0.4> (521,715) [ÄwÆ.é.é.é.âtâ@âCâïé.æ.ì.é.é.é.é±] GET /a
> [22;45;24] <192.168.1.3> (74,632) [É.Å.é.ÅIù.é.é.é.é.] GET /hack
>               
>
>
> 3. Requesting COM2 or other DOS devices in the URL may prevent the Server from restarting properly
>
> The attacker may specify the COM2 device in the request URL. This will cause the web server to open a handle to the 
> device. Doing so will prevent the server from restarting properly the next time it needs to be restarted using 
> servercontroller.exe or using Window's Service Control Manager. The following sample HTTP request demonstrates this. 
> If using COM2 doesn't work on your test server, try other DOS devices like COM1, AUX, PRN, etc, until the server 
> managed to "open" a DOS device. 
> http://[hostname]/COM2
>               
>
> The following screen capture shows the log display of servercontrol.exe when COM2 is "opened".
>
>
>
>
> Patch
>
> Author has been notified of this advisory by email, but has not released any fixes. 
>
>
> Disclosure Timeline
>
> 30 Jul 04 - Vulnerabilites Discovered
> 30 Jul 04 - Initial Author Notification (no reply)
> 03 Aug 04 - Second Author Notification
> 04 Aug 04 - Author Reply (new version will be released by end August)
> 25 Oct 04 - Third Author Notification (no reply)
> 11 Nov 04 - Public Release
>
>
> Contacts
>
> For further questions and enquries, email them to the following. 
> Overall-in-charge: Tan Chew Keong 
>
>
> Reference
>
> http://www.security.org.sg/vuln/04webserver142.html
>
>
> Regards to my girl and friends ;p
> Jerome