Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Sambar Server search CGI vulnerability
From: Guido Bakker (guidobMAINNET.NL)
Date: Fri Sep 15 2000 - 01:37:42 CDT
- Next message: Aviram Jenik: "[NEWS] Vulnerability in CamShot server (Authorization)"
- Previous message: Dan Harkless: "Re: Format String Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Vulnerable: Sambar Server 4.4 Beta 3
Systems : WinNT, Win95 OSR2, (possibly Linux affected)
Product : http://www.sambar.com
Discovery : dethysynnergy.net
The Sambar Server comes with a non-caching HTTP proxy server and basic SMTP,
POP3, and IMAP4 proxy servers compiled in.
Sambar was created to test a three-tier communication infrastructure modeled
after the Sybase Open Client/Open Server. Originally developed on a Sun
Workstation (UNIX), it was ported to the PC (Windows 32) and licensed for
The vulnerability occurs in the search.dll Sambar ISAPI Search shipped with
this product. This dynamic link loader does not check on the 'query' parameter
that is parsed to the server, therefore by constructing a malformed URL
we are able to view the contents of the server, all folders, and files.
Thanks also to USSR Labs (www.ussrback.com) for further testing.
All that is needed is a malformed query parameter parsed to the search.dll
.. this will reveal the current working directory contents.
.. this will reveal the root dir of the server.
The vendor [ todsambar.com ] of Sambar Technologies has been contacted, so
wait until a
patched version comes out.
Synnergy Networks may not be held liable for the use and/or potential effects
programs or advisories, nor the content contained within. Use them at your
E-Mail : dethysynnergy.net
Web : http://www.synnergy.net
-- Met vriendelijke groet / Kind regards,
| Guido Bakker <guidobmainnet.nl> | Network Manager
MainNet BV, http://www.mainnet.nl Phone: +31 (0)20 6133505 Fax: +31 (0)20 6135640