OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Mon Feb 05 2001 - 14:40:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To Ben Greenbaum:

        Please post this advisory instead of the last. I needed to
    make a minor change to the 'Vendor Status' section. Thanks.
    ----------

    Vulnerabilities in BiblioWeb Server

        Overview

    BiblioWeb Server 2.0 is a web server available from
    http://www.biblioscape.com. A vulnerability exists which allows a remote
    user to break out of the web root using relative paths (ie: '..', '...').
    A second vulnerability allows a remote attacker to crash the server.

        Details

    To break out of the web root, use the following URLs:

            http://localhost/..\[file outside web root]
            http://localhost/...\[file outside web root]

    To crash the server, telnet to port 80, and send:

            GET /[a lot of 'A's]

        The server crashes with the following dump:

    BIBLIOWEB caused an invalid page fault in
    module BIBLIOWEB.EXE at 017f:004069fd.
    Registers:
    EAX=00408b70 CS=017f EIP=004069fd EFLGS=00010283
    EBX=00408b70 SS=0187 ESP=0415fe88 EBP=04160418
    ECX=00000001 DS=0187 ESI=04160414 FS=58df
    EDX=04160414 ES=0187 EDI=04160518 GS=0000
    Bytes at CS:EIP:
    68 00 04 00 00 8d 44 24 04 50 8b 43 04 50 8b 03
    Stack dump:

        Solution

    No quick fix is possible.

        Vendor Status

    CG Information was contacted via <supportbiblioscape.com> on Monday,
    January 29, 2001. No reply was received.

            - Joe Testa ( e-mail: joetestahushmail.com / AIM: LordSpankatron
    )

    IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.