HTTP Potential Problems

Updated (3.3.2)

Impact

The web server contains an application which may have a vulnerability. If the vulnerability is present, an unauthorized user could read files, change files, or execute commands on the server.

Background

The HyperText Transport Protocol (HTTP) allows a client to access HTML pages and other web applications using a web browser. HTTP servers contain programs which perform functions on the server at the request of the client (when a form is submitted, for example), and transmit results to the client's browser in the form of an HTML page.

The Problems

Various programs which may be installed with certain Web servers are vulnerable to exploitation. These include:

piranha/secure/passwd.php3:
CVE 2000-0322
Piranha is a utility which comes with Red Hat Linux for administering the Linux Virtual Server. It comes with a default backdoor password which could allow unauthorized access to the Graphical User Interface (GUI). By exploiting vulnerabilities in the tools that come with the GUI, an attacker who knows the backdoor password could execute arbitrary commands on the server. Any server which has piranha-gui 0.4.12 installed, which is the default for Red Hat 6.2, is vulnerable.

cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application. By default, it has a backdoor password of "wemilo". An attacker who knows this password could view a list of client passwords using an undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist. The hashed client passwords could be used to execute arbitrary commands on the server using a specially crafted URL.

emurl/RECMAN.dll:
CVE 2000-0397
SeattleLab's Emurl 2.0 and earlier versions authenticate users with a simple ASCII encoding scheme based on the user's login name. This makes it possible to read other users' mail, reconfigure their accounts, or steal their POP passwords.

guestbook:
CVE 1999-0237
Selena Sol's guestbook CGI program could allow an attacker to execute arbitrary commands on the server if server side includes are enabled.

excite:
CVE 1999-0279
Excite for Web Servers does not sufficiently check queries for special characters before passing them to a shell. It is possible for a remote attacker to execute arbitrary commands on the server by exploiting this condition. Excite 1.1 for either Unix or Windows NT is affected by this vulnerability if patches have not been applied after 1/16/98.

site/eg/source.asp:
CVE 2000-0628
Apache::ASP comes with a sample script which can be exploited to write to files in the same directory as the script. Versions prior to 1.95 are vulnerable.

w3-msql:
CVE 2000-0012
Mini SQL has a buffer overflow condition which could allow a remote attacker to execute arbitrary commands on the server. Versions 2.0.4.1 through 2.0.11 for Unix and Linux are affected by this vulnerability.

wais.pl:
This script is a web interface to the waisq client. A vulnerability in wais.pl could allow a remote user to set command-line options through input parameters, thereby overwriting files on the server. This vulnerability also exposes a buffer overflow condition in waisq.

ddicgi.exe:
This program is part of Mobius DocumentDirect for Internet. A buffer overflow condition could allow a remote attacker to execute arbitrary code.

db2www:
CVE 2000-0677
This program is part of the Net.Data application, which is used for web development. A buffer overflow in the processing of the PATH_INFO environment variable could allow an attacker to execute arbitrary code.

search97cgi/vtopic:
CVE 2000-1014
This file is the search function used by the SCO UnixWare 7 scohelphttp web server. Due to a format string vulnerability, an attacker could execute arbitrary commands on the server with the privileges of the nobody user.

webplus:
This script is part of the Web+ web application server. A vulnerability in the script could allow a remote attacker to view the source code of WML files, and possibly ASP files, by appending the string "::$DATA" to the URL. Additionally, the webping sample script could allow a remote attacker to view arbitrary files in the Linux version.

Big Brother:
CVE 2000-0639
CVE 2000-0978
A vulnerability in Big Brother could allow a remote attacker to execute arbitrary commands on the server by creating a file on the server and then going to the file in a web browser. A second vulnerability could allow a remote attacker to execute arbitrary code by sending specially crafted input to the server.

Directory Services Gateway (dsgw):
CVE 2000-1075
A buffer overflow condition in Netscape/iPlanet Directory Server 4.12 and Certificate Management System 4.2 could allow a remote attacker to execute arbitrary code or create a denial of service. A separate buffer overflow in Directory Server 4.11 and 4.12 could also allow a remote attacker to execute arbitrary code or create a denial of service.

pbserver.dll:
CVE 2000-1089
Microsoft PhoneBook Server is an optional component of IIS 4 and 5. A buffer overflow condition could allow an attacker to execute arbitrary code with the privileges of IUSR_machinename with IIS 4 or IWAM_machinename with IIS 5.

statsconfig.pl:
This script comes with OmniHTTPd. Due to a lack of parameter checking in the cgidir and mostbrowsers variables, a remote attacker could corrupt any file on the system, or inject arbitrary code into /cgi-bin/stats.pl, which can then be executed by calling the script from a browser. OmniHTTPd version 2.07 and possibly other versions are vulnerable.

wwwwais:
This script is a web interface to the popular WAIS search engine. A buffer overflow condition could allow a remote attacker to execute arbitrary code by sending a specially crafted query string.

pi:
This script is part of the PlanetIntra software. A buffer overflow could allow a remote attacker to execute arbitrary commands on the server.

post-query:
This is a simple C program for processing POST data from HTML forms. A buffer overflow condition could allow a remote attacker to execute arbitrary code on the server. However, in order for this vulnerability to be exploited there would need to be a large amount of physical or virtual memory on the server, and the operating system would need to allow the program to allocate the needed memory.

ncommerce3/*:
IBM's Net.Commerce and WebSphere applications encrypt user passwords using TripleDES. Unless the encryption key was changed from the default, these passwords can be easily decrypted. Furthermore, users can be enumerated and encrypted passwords can be retrieved using specially crafted queries. The combination of the above vulnerabilities could allow a remote attacker to gain access with administrator privileges.

All Net.Commerce 3.1 and 3.2 versions and WebSphere Commerce Suite version 4.1 are affected by this vulnerability if the MERCHANT_KEY has not been changed from the default. Versions 5.1 and later are not affected.

websync.exe:
This script is part of the CyberScheduler package. Due to insufficient checking of the length of the Time Zone variable, a remote attacker could create a buffer overflow attack, resulting in the ability to execute arbitrary commands.

globals.pl, process_bug.cgi:
These scripts are part of the Bugzilla bug tracking application. The first, globals.pl, could reveal sensitive information such as path names and database passwords. The second, process_bug.cgi, could allow a remote attacker to execute arbitrary commands if the attacker registers with Bugzilla with a specially crafted e-mail address containing shell commands.

query.asp, query.idq:
This file is the search script for Microsoft Index Server. There are two vulnerabilities. The first is a buffer overflow, which could allow an attacker to crash the service or execute arbitrary commands with Local System privileges. An attacker would need to be able to authenticate to the server in order to exploit the vulnerability. This vulnerability only affects Index Server 2.0 which comes with Windows NT 4.0 Option Pack, and is not enabled by default.

CVE 2000-0097
The second vulnerability affects Index Server's hit-highlighting feature. Due to insufficient parameter checking, this feature could be exploited to view any file on the same logical drive as the web server. This vulnerability affects Index Server 2.0 and Indexing Services for Windows 2000.

FtpSaveCSP.dll, FtpSaveCVP.dll:
These are administrative programs for the Trend Micro InterScan VirusWall for Windows NT. Due to a buffer overflow, it is possible for a remote attacker to execute arbitrary commands with System privileges. Trend Micro 3.51 is affected by this vulnerability.

Resolutions

piranha/secure/passwd.php3:
Upgrade the piranha-gui package to version 0.4.13-1 or higher.

cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h) to something else. Also change the permissions on c32web.exe so that it is only accessible by administrators. This will prevent unauthorized users from executing arbitrary commands using a specially crafted URL. Alternatively, apply the patch developed by L0pht.

emurl/RECMAN.dll:
Replace Emurl with a version higher than 2.0.

guestbook:
Disable server side includes. If this is not possible, or for additional security protection, make the following changes to the guestbook setup file:

excite:
Install the patch.

site/eg/source.asp:
Either delete the script, or upgrade to Apache::ASP version 1.95 or higher.

w3-msql:
Apply the patch which can be found in the X-Force Advisory.

wais.pl:
In waisq.pl, change @query to $pquery at the end of the line that begins with "open(WAISQ". As an additional precaution, recompile waisq with the following change in the source code:

char pathname[MAX_FILENAME_LEN+1];
to
char pathname[MAX_FILENAME_LEN*2+1];

ddicgi.exe:
Contact Mobius for a patch.

db2www:
Download and install the fix for your operating system.

search97cgi/vtopic:
Disable the web server which runs on port 457, or apply the workaround described in Bugtraq.

webplus:
Upgrade to version 4.6, build 542 or higher. Remove all sample scripts.

Big Brother:
The workaround for the first vulnerability is to implement access restrictions in the $BBHOME/etc/security file. This file is not enabled by default. The solution for the second vulnerability is to implement the workaround posted to Bugtraq or upgrade to Big Brother version 1.5c2 or higher.

Directory Services Gateway (dsgw):
Upgrade to Directory Server 4.13 through the iPlanet Support Channel.

pbserver.dll:
Apply a patch referenced in Microsoft Security Bulletin MS 00-094.

statsconfig.pl:
Remove this script and any other unneeded scripts in the cgi-bin directory.

wwwwais:
Remove this script or make the following changes to wwwwais.c and re-compile:

Line 348: change from
strcpy(argstr, argp);
to
strncpy(argstr, argp, MAXSTRLEN);

Line 351: change from
strcpy(argstr, query_string);
to
strncpy(argstr, query_string, MAXSTRLEN);

pi:
Contact PlanetIntra for a patch.

post-query:
Remove cgi-bin/post-query from the web server. It is a sample program which serves no practical purpose.

ncommerce3/*:

  1. Change your admin passwords.
  2. Secure your macros. See issue 2001-1 for details.
  3. Read and follow the instructions to update administrator and shopper passwords in the readme file.
  4. Read and follow the instructions to fix your macros to prevent future exposure in the readme file.
  5. Check issue 2001-2 regularly for updates.

websync.exe:
Install the patch released by Crosswind or upgrade to any version released after February, 2001.

globals.pl, process_bug.cgi:
Download Bugzilla 2.12 or higher.

query.asp, query.idq:
Apply the patches recommended in Microsoft Security Bulletins 00-006 and 01-025.

FtpSaveCSP.dll, FtpSaveCVP.dll:
At the time of this writing, there is no patch for this vulnerability. Access to the server by non-administrative users should be denied until a fix can be applied.

Where can I read more about this?

piranha/secure/passwd.php3:
See the X-Force advisory.

cart32.exe:
See the Cerberus Advisory.

emurl/RECMAN.dll:
See the Bugtraq posting.

guestbook:
See the X-Force Advisory.

excite:
See the X-Force Advisory.

site/eg/source.asp:
See the Bugtraq posting.

w3-msql:
See the X-Force Advisory.

ddicgi.exe:
This vulnerability was discussed in an advisory from @stake.

db2www:
This vulnerability was discussed in an X-Force Advisory.

search97cgi/vtopic:
See the Bugtraq posting.

webplus:
The ::$DATA problem and the webping problem were both posted to Bugtraq.

Directory Services Gateway (dsgw):
See the CORE-SDI advisories on the denial-of-service vulnerability and the arbitrary code execution vulnerability. See the @stake advisory for information on the second vulnerability.

pbserver.dll:
See the CORE-SDI advisory and Microsoft Security Bulletin MS 00-094.

statsconfig.pl:
See Bugtraq.

wwwwais.pl:
See Bugtraq.

pi:
See S.A.F.E.R. Bulletin 010125.EXP.1.12.

post-query:
See Bugtraq.

ncommerce3/*:
See WebSphere Commerce Suite Security Issue 2.

websync.exe:
This vulnerability was reported in Defcom Labs Advisory def-2001-18.

globals.pl, process_bug.cgi:
This vulnerability was reported in @stake advisory 04.30.01.

query.asp, query.idq:
See Microsoft Security Bulletins 00-006 and 01-025.

FtpSaveCSP.dll, FtpSaveCVP.dll:
See SNS Advisory 31.