[21842] in bugtraq
Re: Sambar Web Server pagecount exploit code
daemon@ATHENA.MIT.EDU (Axel Hammer)
Wed Jul 25 12:07:50 2001
Message-ID: <3B5EEC92.4DA24563@daten-treuhand.de>
Date: Wed, 25 Jul 2001 17:58:10 +0200
From: Axel Hammer <info@daten-treuhand.de>
MIME-Version: 1.0
To: Bugtraq Mailingliste <BUGTRAQ@securityfocus.com>, kyprizel@mail.kz
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
kyprizel schrieb:
> by default, there is a pagecount script with Sambar Web Server
> it's situated at http://sambarserver/session/pagecount
> counter writes it's temporary files at c:\sambardirectory\tmp
> if we'll write http://sambarserver/session/pagecount?page=index
> it will create file in Sambar temp directory with name index
> and if we'll write
> http://sambarserver/session/pagecount?page=../../../../../../autoexec.bat
> script will rewrite first simbols of c:\autoexec.bat with it's number
> so we able to add some text to any file on the disk...
Can confirm this on Sambar 4.4production (intranet only ;-) and W2kpro. Since
our installations use different drives for data and webpages vs. OS and
programs we found out that on the drive where the SAMBAR-programs are located
only an existing AUTOEXEC.bat ist affected, but no new file AUTOEXEC.bat e.g.
is created.
Regards, Axel Hammer
--
de:
Daten-Treuhand.de
Michael-Imhof-Str. 17
86609 Donauwörth
Tel.: +49 (0)906-70570621
Fax: +49 (0)906-70570622
info@daten-treuhand.de
http://www.daten-treuhand.de
