[23072] in bugtraq
Re: IBM AS/400 HTTP Server '/' attack
daemon@ATHENA.MIT.EDU (Felix Huber)
Thu Nov 8 16:53:06 2001
Message-ID: <007901c1689c$8b146100$0205a8c0@athlon>
From: "Felix Huber" <huberfelix@webtopia.de>
To: <bugtraq@securityfocus.com>
Date: Thu, 8 Nov 2001 22:30:09 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0076_01C168A4.EC419210"
------=_NextPart_000_0076_01C168A4.EC419210
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi,
you can detect such a server very easily:
----------------------------------------
GET /index.html HTTP/1.0
HTTP/1.0 200 OK
Server: IBM-HTTP-Server/1.0
....
Content-Type: text/html
----------------------------------------
----------------------------------------
GET /index.html/ HTTP/1.0
HTTP/1.0 200 OK
Server: IBM-HTTP-Server/1.0
....
Content-Type: www/unknown <------- here
----------------------------------------
A NASL Script is attached...
Regards,
Felix Huber
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
> IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
> that will show the source code of the page -- such as an .html or .jsp
> page -- by attaching an '/' to the end of a URL.
>
> Compare these two URL's:
>
> http://www.foo.com/getsource.jsp
>
> http://www.foo.com/getsource.jsp/
>
> The later URL will deliver the jsp source to the browser.
>
> I reported this problem to IBM approximately 9 or 10 months ago.
------=_NextPart_000_0076_01C168A4.EC419210
Content-Type: application/octet-stream;
name="ibm_server_code.nasl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ibm_server_code.nasl"
s script was written by Felix Huber <huberfelix@webtopia.de>=0A=
#=0A=
# v. 1.00 (last update 08.11.01)=0A=
=0A=
if(description)=0A=
{=0A=
script_id(?????????);=0A=
name["english"] =3D "IBM-HTTP-Server View Code";=0A=
script_name(english:name["english"]);=0A=
=0A=
desc["english"] =3D "=0A=
IBM's HTTP Server on the AS/400 platform is vulnerable to an attack=0A=
that will show the source code of the page -- such as an .html or .jsp=0A=
page -- by attaching an '/' to the end of a URL.=0A=
=0A=
Example:=0A=
http://www.foo.com/getsource.jsp/=0A=
=0A=
Solution : Not yet=0A=
=0A=
=0A=
Risk factor : High";=0A=
=0A=
=0A=
script_description(english:desc["english"]);=0A=
=0A=
summary["english"] =3D "IBM-HTTP-Server View Code";=0A=
=0A=
script_summary(english:summary["english"]);=0A=
=0A=
script_category(ACT_GATHER_INFO);=0A=
=0A=
=0A=
script_copyright(english:"This script is Copyright (C) 2001 Felix =
Huber");=0A=
family["english"] =3D "CGI abuses";=0A=
script_family(english:family["english"]);=0A=
script_dependencie("find_service.nes");=0A=
script_dependencie("httpver.nasl");=0A=
script_require_ports("Services/www", 80);=0A=
exit(0);=0A=
}=0A=
=0A=
#=0A=
# The script code starts here=0A=
#=0A=
=0A=
port =3D get_kb_item("Services/www");=0A=
if(!port)port =3D 80;=0A=
=0A=
dir[0] =3D "/index.html";=0A=
dir[1] =3D "/index.htm";=0A=
dir[2] =3D "/index.jsp";=0A=
dir[3] =3D "/default.html";=0A=
dir[4] =3D "/default.htm";=0A=
dir[5] =3D "/default.jsp";=0A=
dir[6] =3D "/home.html";=0A=
dir[7] =3D "/home.htm";=0A=
dir[8] =3D "/home.jsp";=0A=
=0A=
if(get_port_state(port))=0A=
{=0A=
=0A=
for (i =3D 0; dir[i] ; i =3D i + 1)=0A=
{=0A=
=0A=
=0A=
=0A=
soc =3D http_open_socket(port);=0A=
=0A=
if(soc)=0A=
=0A=
{=0A=
url =3D string(dir[i], "/");=0A=
=0A=
=0A=
req =3D http_get(item:url, port:port);=0A=
send(socket:soc, data:req);=0A=
r =3D recv(socket:soc, length:409600);=0A=
close(soc);=0A=
=0A=
#display(r);=0A=
=0A=
if("Server: IBM-HTTP-Server/1.0" >< r)=0A=
{=0A=
if("Content-Type: www/unknown" >< r)=0A=
{=0A=
#security_hole(port);=0A=
display("Security Hole detected\n");=0A=
exit(0);=0A=
}=0A=
}=0A=
=0A=
}=0A=
}=0A=
}=0A=
=0A=
------=_NextPart_000_0076_01C168A4.EC419210--
