Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: advisoriesirmplc.com
Date: Fri Sep 21 2001 - 07:51:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

            IRM Security Advisory No. 001

            Xcache Webserver Cache Path Disclosure Vulnerability

            Vulnerablity Type / Importance: Information Leakage / Medium

            Problem discovered: Mon, 17 Sep 2001
            Vendor contacted: Wed, 19 Sep 2001
            Advisory published: Fri, 21 Sep 2001


            Xcache webserver accelerator for Windows NT and Windows 2000
    reveals absolute pathnames of documents served by the webserver in
    the case that caching is turned off for that document.


            Xcache (http://www.xcache.com) is an application that runs in
    front of the Microsoft IIS webserver (versions 4 and 5) and caches
    pages. When a request is made for a particular document, Xcache checks
    to see if it holds a cached copy of the document, and returns it if
    so, thus reducing the load on the underlying webserver.
            This is most useful for dynamic content, such as .asp scripts.
     However, for some scripts, it is not desirable to hold a cached copy.
     These scripts are most commonly those which are specific to
    individual users, such as Shopping Baskets and the like. For this
    reason, Xcache provides the functionality to turn off caching for
    individual pages, or for entire folders (in which case all pages and
    subfolders in the folder will also not be cached).
            When caching is turned off for a document, Xcache returns the
    absolute pathname to that document in the HTTP headers. Sample headers
     are below:

    [macavityhorus ~/work/research]$ telnet 80
    Connected to
    Escape character is '^]'.
    GET /home/index.html HTTP/1.0

    HTTP/1.1 200 OK
    Content-PageName: D:\Inetpub\wwwroot\home\index.html
    Date: Tue, 18 Sep 2001 16:08:59 GMT
    Content-Type: text/html
    Accept-Ranges: bytes
    Last-Modified: Tue, 18 Sep 2001 15:10:48 GMT
    ETag: "0ccc3185440c11:925"
    Content-Length: 59
    Server: Microsoft-IIS/5.0 Running XCache Version (2.1.5629.1)


                    This is a test...
    Connection closed by foreign host.

               The pathname is revealed as the header 'Content-PageName'
    in the server response.

               As previously mentioned, if a folder has caching disabled,
    all documents contained in that folder and its subfolders are also not
     cached, and have their paths given out as above. This applies to
    static HTML pages, images and dynamic content such as .asp scripts.

               This information can be critical to an attacker, as many
    webserver vulnerabilities require the attacker to know the webroot, so
     as to be able to provide an appropriate path to an executable such as
     'cmd.exe', or other useful information held outside the root
    directory of the webserver.

               Moreover, if the document requested is held outside the
    webroot, for example the /scripts or /msadc folders, then Xcache will
    still return the absolute path of the document. In the common case
    where the webserver content is held on a drive partition different to
    the operating system, this allows an attacker to quickly check which
    folders map to directories on the system partition, and hence can help
     access critical OS executables.

               Hence, while this vulnerability itself does not compromise
    the machine, it reveals information that will assist an attacker
    greatly in using other exploits, such as the Unicode or Double-decode
    vulnerabilities for IIS 5.

    Tested Versions:
    ~~~~~~ ~~~~~~~~~
           Xcache 2.1 (current version) for Windows NT and Windows 2000
           (The authors were not able to obtain any previous versions,
    but have found installations of Xcache 2.0 in the wild that appear to
     be vulnerable)

    Tested Operating Systems:
    ~~~~~~ ~~~~~~~~~ ~~~~~~~~
           Windows NT4 Server + Option Pack + SP6a
           Windows 2000 Server + SP2

    Vendor & Patch Information:
    ~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
           The vendor of this product, Xcache Technologies, was
    contacted. They were receptive to our report and produced a patch
    within 24 hours.

           The patch is not available for public download, but users of
    Xcache can obtain it by contacting supportxcache.com.

            No workarounds for this vulnerability have been discovered.

            Initial vulnerability discovery: B-r00t (br00tirmplc.com)
                                             Jacob (jacobirmplc.com)
            Testing and Advisory: Macavity (macavityirmplc.com)
            Thanks: morphsta (morphirmplc.com)
                    Monkfish (monkfishirmplc.com)
                    indig0 (indig0talk21.com)

            All information in this advisory is provided on an 'as is'
    basis in the hope that it will be useful. Information Risk Management
    Plc is not responsible for any risks or occurrences caused
    by the application of this information.

    A copy of this advisory may be found at

    The PGP key used to sign IRM advisories can be obtained from the above
    URL, or from keyserver.net and its mirrors.

    Information Risk Management Plc. http://www.irmplc.com
    22 Buckingham Gate advisoriesirmplc.com
    London infoirmplc.com
    SW1E 6LB
    +44 (0)207 808 6420

    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    -----END PGP SIGNATURE-----