[23274] in bugtraq
Re: double dot vulnerability on a site running Informix database.
daemon@ATHENA.MIT.EDU (Randolf Richardson)
Wed Nov 28 09:36:03 2001
From: "Randolf Richardson" <randy@inter-corporate.com>
To: bugtraq@securityfocus.com
Date: Tue, 27 Nov 2001 14:04:00 -0800
MIME-Version: 1.0
Reply-To: rr@8x.ca
Message-ID: <3C039D50.3195.30E2FC@localhost>
In-reply-to: <1006821153.30940.1.camel@joel>
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
> > I found a doubledot vulnerability on a site running
> > Informix database. I can read of any file on the
> > system by putting /../ into the url. But so far I have
> > only found two sites with this problem.
> > The site is running Netscape-Enterprise/4.0 on
> > Solaris according to Netcraft.com
> >
> I have tested this on Apache 1.3.12/Solaris 7/webdriver 4.10.UC1,
> Netscape Enterprise 3.6/NT4/webdriver 4.10.TC1, IIS 5.0/Win2K/webdriver
> 4.11.TC1, Apache 1.3.12/Linux/webdriver 4.10.UC1, running on Informix
> Universal Server 9.2x on Linux, NT4 and Win2K with the web datablade
> 4.x. All do not have this problem.
>
> All the platforms I have tested simply close the connection immediately,
> giving a zero-sized reply. I also tested using MIvalObj= instead of
> LO=, MIvalObj gives a 500 reply.
[Snip]
Apache v1.3.22 running on Novell NetWare returns a "Bad request"
error message, so it's not vulnerable here either. I suspect that Apache is secure
in this regard since the OS has very little to do with this type of exploit.
Randolf Richardson - rr@8x.ca
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
http://www.8x.ca/
"Radioactive cats have 18 half-lives."
