NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-02

Subject: Zeus Web Server: Null Terminated Strings
From: Julian Midgley (jmidgleyZEUSTECHNOLOGY.COM)
Date: Tue Feb 08 2000 - 06:49:04 CST

Next message: Tim Adam: "Re: Evil Cookies."
Previous message: Paul L Schmehl: "Re: Bypass Virus Checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This morning Zeus Technology Limited was informed of a serious security
bug in the Zeus Webserver by 'The Relay Group' (http://relaygroup.com).

This document describes the scope of the problem and its solution.

Versions affected
-----------------

Zeus 3.1.x / 3.3.x

Severity
--------

High- this bug allows the contents of CGI scripts to be read by a remote
client, if the scripts are run with the CGI module's "allow CGIs
anywhere" option enabled.

It does not affect CGIs run from designated directories (cgi-bins).
Nonetheless, we recommend that all customers upgrade to Zeus 3.3.5a- see
below for further details.

Description
-----------

Requests for URLs which contains the text '%00' are decoded to contain
a null-terminator. This means that files can be accessed via URLs
that are not access controlled, allowing files that are *inside* the
document root to be retrieved.

For example, if you run a webserver with the 'allow CGI anywhere' option,
and have a Perl CGI script inside the document root accessible as
'http://mysite/script.cgi' then a request for
'http://mysite/script.cgi%00' will cause the webserver to return the Perl
source of the CGI script to the client.

This happens because the mime-type of '.cgi\0' does not map to
'application/x-httpd-cgi', so is instead served by the get module as
'text/plain'. The webserver will ask the OS for the file
'script.cgi\0\0', and due to the zero-terminated string interface of
Unix, the OS will actually open 'script.cgi\0' instead of returning a
"file-not-found" error.

Problem Solution
----------------

We have fixed the problem in the latest version of Zeus (3.3.5a) now
available for all 14 platforms from our ftp site
ftp://ftp.zeustechnology.com/pub/products/z3.

This version will report itself as '3.3.5a' and also
display today's (8th Feb) date on startup.

Download the distribution for your platform, untar it, and run
'./zinstall --force' and it will seamlessly upgrade your running
server to the fixed release.

--
Julian Midgley                                Tel: +44 1223 525000
Technical Services Manager                    Fax: +44 1223 525100
Zeus Technology Ltd                  http://www.zeustechnology.com
Newton House, Cambridge Business Park, Cambridge. CB4 OWZ. England

Next message: Tim Adam: "Re: Evil Cookies."
Previous message: Paul L Schmehl: "Re: Bypass Virus Checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]