Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: astral403-security.org
Date: Fri May 25 2001 - 19:00:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                            ==>> 403 Security Lab

    Advisory ID: 403-05-2001

    Advisory Name: Remote vulnerabilities in OmniHTTPd
    Release Date: 26.05.2001
    Application: OmniHTTPd
    Platform: Tested on Windows2000 only
    Author: Astral <astral403-security.org>
    Vendor: www.omnicron.ca

    1. About OmniHTTPd
    2. PHP d.o.s.
    3. Scripts source disclosure
    4. Vendor response
    5. Greets

    1. About OmniHTTPd

    From official web site:
    In addition to Standard CGI support, the server
    sports advanced features such as Keep-Alive
    table auto-indexing and server-side includes. For
    performance, OmniHTTPd is both 32-bit and multi-


    2. PHP d.o.s.


    PHP is an open source, server-side, cross-platform,
    embedded scripting language. PHP is a good
    alternative to
    ASP because native support is not limited to servers
    IIS on Windows NT. The PHP libraries provide good
    for tasks like SQL and LDAP operations.

    OmniHTTPd supports PHP scripts but it has two
    vulnerabilites. Both are connected with way
    OmniHTTPd processes them.


    If malicious user sends lot requests to some existing
    non-existing PHP script on web-server
    it will consume 100% percent of processor speed.
    Why this
    happens ?

    Every time you send request for PHP script,
    OmniHTTPd server
    starts PHP.exe and then tries to run script
    rather then making it memory-resident.

    Severity: d.o.s.


    3. Scripts source disclosure

    This one is much more dangerous. It allows anyone
    to view
    source of scripts. This vulnerability is similar to ones
    Microsoft had problems with.

    It is possible to make OmniHTTPd
    think .php;.shtml;.pl is
    ordinary HTML document. How ?

    By adding space UNICODE character which is %20
    will identify any script as HTML file and it will send
    script source back to client.

    Exploit: GET /somefuckingboringphpscript.php%20%
    20 HTTP/1.1
    Severity: Disclosure of script source


    4. Vendor Response

    Vendor didn't response to us ...

    5. Greetz
    rfp, eEye, Luka, d-R