HTTP Potential Problems

Impact

The web server contains an application which may have a vulnerability. If the vulnerability is present, an unauthorized user could read files, change files, or execute commands on the server.

Background

The HyperText Transport Protocol (HTTP) allows a client to access HTML pages and other web applications using a web browser. HTTP servers contain programs which perform functions on the server at the request of the client (when a form is submitted, for example), and transmit results to the client's browser in the form of an HTML page.

The Problems

Various programs which may be installed with certain Web servers are vulnerable to exploitation. These include:

piranha/secure/passwd.php3:
CVE 2000-0322
Piranha is a utility which comes with Red Hat Linux for administering the Linux Virtual Server. It comes with a default backdoor password which could allow unauthorized access to the Graphical User Interface (GUI). By exploiting vulnerabilities in the tools that come with the GUI, an attacker who knows the backdoor password could execute arbitrary commands on the server. Any server which has piranha-gui 0.4.12 installed, which is the default for Red Hat 6.2, is vulnerable.

cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application. By default, it has a backdoor password of "wemilo". An attacker who knows this password could view a list of client passwords using an undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist. The hashed client passwords could be used to execute arbitrary commands on the server using a specially crafted URL.

emurl/RECMAN.dll:
CVE 2000-0397
SeattleLab's Emurl 2.0 and earlier versions authenticate users with a simple ASCII encoding scheme based on the user's login name. This makes it possible to read other users' mail, reconfigure their accounts, or steal their POP passwords.

guestbook:
CVE 1999-0237
Selena Sol's guestbook CGI program could allow an attacker to execute arbitrary commands on the server if server side includes are enabled.

excite:
CVE 1999-0279
Excite for Web Servers does not sufficiently check queries for special characters before passing them to a shell. It is possible for a remote attacker to execute arbitrary commands on the server by exploiting this condition. Excite 1.1 for either Unix or Windows NT is affected by this vulnerability if patches have not been applied after 1/16/98.

site/eg/source.asp:
CVE 2000-0628
Apache::ASP comes with a sample script which can be exploited to write to files in the same directory as the script. Versions prior to 1.95 are vulnerable.

w3-msql:
CVE 2000-0012
Mini SQL has a buffer overflow condition which could allow a remote attacker to execute arbitrary commands on the server. Versions 2.0.4.1 through 2.0.11 for Unix and Linux are affected by this vulnerability.

wais.pl:
This script is a web interface to the waisq client. A vulnerability in wais.pl could allow a remote user to set command-line options through input parameters, thereby overwriting files on the server. This vulnerability also exposes a buffer overflow condition in waisq.

ddicgi.exe:
This program is part of Mobius DocumentDirect for Internet. A buffer overflow condition could allow a remote attacker to execute arbitrary code.

db2www:
CVE 2000-0677
This program is part of the Net.Data application, which is used for web development. A buffer overflow in the processing of the PATH_INFO environment variable could allow an attacker to execute arbitrary code.

search97cgi/vtopic:
This file is the search function used by the SCO UnixWare 7 scohelphttp web server. Due to a format string vulnerability, an attacker could execute arbitrary commands on the server with the privileges of the nobody user.

webplus:
This script is part of the Web+ web application server. A vulnerability in the script could allow a remote attacker to view the source code of WML files, and possibly ASP files, by appending the string "::$DATA" to the URL. Additionally, the webping sample script could allow a remote attacker to view arbitrary files in the Linux version.

Big Brother:
CVE 2000-0639
A vulnerability in Big Brother could allow a remote attacker to execute arbitrary commands on the server by creating a file on the server and then going to the file in a web browser. A second vulnerability could allow a remote attacker to execute arbitrary code by sending specially crafted input to the server.

Directory Services Gateway (dsgw):
A buffer overflow condition in Netscape/iPlanet Directory Server 4.12 and Certificate Management System 4.2 could allow a remote attacker to execute arbitrary code or create a denial of service.

Resolutions

piranha/secure/passwd.php3:
Upgrade the piranha-gui package to version 0.4.13-1 or higher.

cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h) to something else. Also change the permissions on c32web.exe so that it is only accessible by administrators. This will prevent unauthorized users from executing arbitrary commands using a specially crafted URL. Alternatively, apply the patch developed by L0pht.

emurl/RECMAN.dll:
Replace Emurl with a version higher than 2.0.

guestbook:
Disable server side includes. If this is not possible, or for additional security protection, make the following changes to the guestbook setup file:

excite:
Install the patch.

site/eg/source.asp:
Either delete the script, or upgrade to Apache::ASP version 1.95 or higher.

w3-msql:
Apply the patch which can be found in the X-Force Advisory.

wais.pl:
In waisq.pl, change @query to $pquery at the end of the line that begins with "open(WAISQ". As an additional precaution, recompile waisq with the following change in the source code:

char pathname[MAX_FILENAME_LEN+1];
to
char pathname[MAX_FILENAME_LEN*2+1];

ddicgi.exe:
Contact Mobius for a patch.

db2www:
Download and install the fix for your operating system.

search97cgi/vtopic:
Disable the web server which runs on port 457, or apply the workaround described in Bugtraq.

webplus:
Upgrade to version 4.6, build 542 or higher. Remove all sample scripts.

Big Brother:
The workaround for the first vulnerability is to implement access restrictions in the $BBHOME/etc/security file. This file is not enabled by default. The solution for the second vulnerability is to implement the workaround posted to Bugtraq or upgrade to Big Brother version 1.5c2 or higher.

Directory Services Gateway (dsgw):
Apply a patch when one becomes available.

Where can I read more about this?

piranha/secure/passwd.php3:
See the X-Force advisory.

cart32.exe:
See the Cerberus Advisory.

emurl/RECMAN.dll:
See the Bugtraq posting.

guestbook:
See the X-Force Advisory.

excite:
See the X-Force Advisory.

site/eg/source.asp:
See the Bugtraq posting.

w3-msql:
See the X-Force Advisory.

ddicgi.exe:
This vulnerability was discussed in an advisory from @stake.

db2www:
This vulnerability was discussed in an X-Force Advisory.

search97cgi/vtopic:
See the Bugtraq posting.

webplus:
The ::$DATA problem and the webping problem were both posted to Bugtraq.

Directory Services Gateway (dsgw):
See the CORE-SDI advisories on the denial-of-service vulnerability and the arbitrary code execution vulnerability.