[ SOURCE: http://www.secureroot.com/security/advisories/9671778845.html ] -- WebSite Pro 2.3.7 Vulnerability -- WebSite Pro is a Web Server for Win95/98/NT plataforms. The vulnerability (or bad server administration) allow any user to create arbitrary files with arbitrary text on the victim machine, from the Internet Web Browser. By a default installation any user can create or uploads files to the victim machine running a vulnerable version of WebSite Pro. The problem is a bad "protection access" of the main directories on the machine. In a default installation, WebServer Pro, create on him root directory the next directories readables (by default) from any user: cgi-win cgi-shl cgi-src cgi-temp The problem is in the aplication called "uploader.exe" located on /cgi-win directory. In other versiones of WebSite Pro this directory is unable to read from any user, but in these version, WebServer fail when check the roots directories and the proper web-html directories. For example, if we install WebServer Pro in c:\website, WebServer create: c:\website\cgi-win c:\website\cgi-shl c:\website\cgi-src ... with various information and aplications inside. We must choose a directory for own we web page (by default in c:\website\htdocs), but, in these example, we will install we root web directory in c:\mywebs\libros, so we have we index.html in c:\mywebs\libros\index.html. In these directory only reside the web page files, not cgi-win or other cgi directory... Well, if we connect to the web server using a normal Internet Explorer, and we try to read a file that not exist in the directory, we find this error message: ---------------------------------- GET www.victim.com/foo 404 Not Found The requested URL was not found on this server: /foo (C:\mywebs\libros\foo) ---------------------------------- How we can see, WebServer revealed the real path of the webserver. (Vulnerability published various mouths ago) But if we try to access to cgi-win directory, automatically and "magically" the WebServer redirect us to the real cgi-win directory, located in c:\website\cgi-win Example: ----------------------- GET www.victim.com/cgi-win 404 Not Found The requested URL was not found on this server: /cgi-win/ (C:\WebSite\cgi-win\) ------------------------------ How we can see, the WebServer say us that these directory dosnīt exist... but if we try to ejecute the default aplicacion "uploader.exe" located in real cgi-win directory... --------------------------------- GET www.victim.com/cgi-win/uploader.exe WopS! we enter in a cgi web page that allow us to upload any file in we machine to the remote machine. This error in readable directories, is the same for cgi-shl and cgi-src. In other version, if you define your root directories as c:\mywebs\libros you cannīt upload to parent directories and cannīt change to cgi-win real directory. Solution: Change the permisions of cgi-win and other cgi directories, or deleting uploader.exe. I found these bug in WebServer Pro 2.3.7 version, I donīt know if early versions are vulnerable too, but in 2.3.3 version, these bug donīt exist. Sorry for my english... /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/ Bug found by Crono (Hispano Scene) crono@thepentagon.com Aprovecho para saludar a la peņa de #phreak, #hacker_novatos, #hacking, y #hpcv. 24-8-2000 (Spain) /-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/