O'Reilly WebSite (Pro) is a Windows 95/NT Web Server package. Versions 2.0 and below contained a vulnerable sample script, win-c-sample.exe, placed by default in /cgi-shl/ off the web root directory. This program is vulnerable to a buffer overflow, allowing for execution of arbitrary commands on the host machine with the privileges of the web server. Consequences of successful exploitation could range from destruction of data and web site defacement to elevation of privileges through locally exploitable vulnerabilities. The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an 'Error: no blank line separating header and data', because of the '1 file(s) copied' message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request).
Novell Web Server 3.x Examples Toolkit v.2 is a package containing example scripts and HTML files to help administrators design web sites. It is not a support Novell product and is provided solely as a convenience to the user. The toolkit contained a script called 'FILES.PL' that could be used to view the contents of files or directories on the server by a remote attacker. This is done by passing the parameter 'file=<file-or-directory-to-view>' to the script. An attacker could gain information useful in conducting subsequent attacks, or retrieve personal or proprietary information.
WEBgais is a package that provides a web interface to the 'gais' (Global Area Intelligent Search) search engine tool. This package contains a vulnerable script, websendmail, which can be used to execute arbitrary commands on the server with the privileges of the web server. User supplied data (from the 'receiver=' form variable) is passed to a Perl OPEN function without proper input verification, allowing the use of shell metacharacters to separate commands. This can be directly exploited by submitting via the POST method the variable 'receiver=' with the command separation shell metacharacter (;) followed by a command. Consequences could range from destruction of data and web site defacement to elevation of privileges through locally exploitable vulnerabilities.
Microsoft Internet Information Server (IIS) is vulnerable to a source code disclosure vulnerability. This vulnerability allows a remote user to retrieve the source code for any script (that has read permissions on the server) via a web browser by appending a period (.) to the end of a URL requesting a specific script. This applies to any file types in the “script-map list”, including .asp, .ht., .id, .PL, and others. A Microsoft hotfix for this issue was released, but has been found vulnerable to a variation whereby the period is replaced by %2e, the hexadecimal encoding for the same character.
The telnet server that is built into the Catalyst firmware for remote administration contains a memory leak vulnerability that can result in a denial of service. Each time that the telnet service starts, memory resources are used without being freed afterwards. As a result, memory can be depleted by connecting multiple clients to the Catalyst telnet server leaving the device unable to function properly.
DB2 Universal Database contains a default username and password that would enable a user access to the database. During the installation of DB2, the administrator is not prompted to change these passwords which would open up the possibility of having unauthorized users access the database if they knew the default username and password.
A buffer overflow vulnerability exists in FileCopa FTP Server 6/4/2006 version. An attacker can exploit this vulnerability by sending a specially crafted FTP request containing a malicious payload. This payload will overwrite the return address of the function and execute arbitrary code on the vulnerable system.
It may be possible for a database user to crash the server through a bug in handling certain queries. If a certain query is executed that contains a datetime type and varchar type, the server may cease to fucntion requiring a manual reset. The following example was submitted by Benjurry in their advisory: connect reset; connect to sample user db2admin using db2admin; select * from employee where year(birthdate)=1999 and firstnme<''; It is not known what the cause for this behaviour is. Restarting the application is required in order to regain normal functionality.
A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26. The widely-used Perl script provides a web-email interface. Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands. These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server.
Due to a failure to properly validate user-supplied input, URLs submitted by a remote user of the form: http://target:8765/example/ will, if the file 'example' does not exist, return an error message which discloses sensitive path and server configuration information. As a result, it is possible for an attacker to obtain information about the server's configuration and directory structure, which could be used to support further attacks.
Services By CQR