[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : WebSite Pro 2.3.7 Vulnerability

Title: WebSite Pro 2.3.7 Vulnerability
Released by: Crono
Date: 24th August 2000
Printable version: Click here
-- WebSite Pro 2.3.7 Vulnerability --



WebSite Pro is a Web Server for Win95/98/NT plataforms.



The vulnerability (or bad server administration) allow any user

to create arbitrary files with arbitrary text on the victim machine,

from

the Internet Web Browser.



By a default installation any user can create or uploads files to the

victim machine running a vulnerable version of WebSite Pro. The problem

is a bad "protection access" of the main directories on the machine.



In a default installation, WebServer Pro, create on him root directory

the

next directories readables (by default) from any user:



cgi-win

cgi-shl

cgi-src

cgi-temp



The problem is in the aplication called "uploader.exe" located on

/cgi-win

directory. In other versiones of WebSite Pro this directory is unable to

read from any user, but in these version, WebServer fail when check the

roots directories and the proper web-html directories.



For example, if we install WebServer Pro in c:\website, WebServer

create:



c:\website\cgi-win

c:\website\cgi-shl

c:\website\cgi-src

...



with various information and aplications inside.



We must choose a directory for own we web page (by default in

c:\website\htdocs), but, in these example, we will install we root

web directory in c:\mywebs\libros, so we have we index.html in

c:\mywebs\libros\index.html. In these directory only reside the

web page files, not cgi-win or other cgi directory...



Well, if we connect to the web server using a normal Internet Explorer,

and

we try to read a file that not exist in the directory, we find this

error message:



----------------------------------

GET www.victim.com/foo



404 Not Found



The requested URL was not found on this server:



/foo



(C:\mywebs\libros\foo)

----------------------------------



How we can see, WebServer revealed the real path of the webserver.

(Vulnerability published various mouths ago)



But if we try to access to cgi-win directory, automatically

and "magically" the

WebServer redirect us to the real cgi-win directory, located in

c:\website\cgi-win

Example:



-----------------------



GET www.victim.com/cgi-win



404 Not Found



The requested URL was not found on this server:



/cgi-win/



(C:\WebSite\cgi-win\)

------------------------------



How we can see, the WebServer say us that these directory dosnīt

exist...

but if we try to ejecute the default aplicacion "uploader.exe" located

in real cgi-win directory...



---------------------------------

GET www.victim.com/cgi-win/uploader.exe



WopS! we enter in a cgi web page that allow us to upload any file in

we machine to the remote machine.



This error in readable directories, is the same for cgi-shl and cgi-src.



In other version, if you define your root directories as

c:\mywebs\libros

you cannīt upload to parent directories and cannīt change to cgi-win

real directory.







Solution:



Change the permisions of cgi-win and other cgi

directories, or deleting uploader.exe.





I found these bug in WebServer Pro 2.3.7 version, I donīt know if early

versions are vulnerable too, but in 2.3.3 version, these bug donīt

exist.





Sorry for my english...



/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/



Bug found by Crono (Hispano Scene) crono@thepentagon.com



Aprovecho para saludar a la peņa de #phreak, #hacker_novatos,

#hacking, y #hpcv.



24-8-2000 (Spain)

/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/








(C) 1999-2000 All rights reserved.