| VID |
21038 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The "dumpenv.pl" CGI is installed in the web server and it is appeared to be running a Sambar Web Server.
Many 4.1 beta releases have the vulnerability of allowing read access to the local hard drive of the machine on which the Sambar Server is running.
To do a test, run a little perl script...
http://www.target.com/cgi-bin/dumpenv.pl
Now you see the complete environment of the victims computer, including his path. Now you can try to login as the administrator by adding this to the url:
/session/adminlogin?RCpage=/sysadmin/index.stm
The default login is: admin and the default password is blank.
If the victim hasn't changed his settings, you now can control his server.
Another feature is to view the victims HDD. If you were able to run the perl script you should also be able (in most cases) to view directory's from his path. Most people have 'c:/program files' and 'c:/windows' in the path line, so what you can do is:
http://www.victim.com/c:/program files/sambar41
* References:
http://www.dataguard.no/bugtraq/1998_2/0511.html
http://www.uia.ac.be/u/peper/sambar/v41/security.htm
http://www.sambar.com/syshelp/security.htm |
| Recommendation |
1. Sambar Server 4.1 beta users upgrade to the 4.1 production release as soon as possible.
2. Don't allow directory browsing if index.html or default.html isn't found.
3. You IMMEDIATELY set your admin password if you have not already done so.
4. A number of "sample" CGI scripts ship with the Sambar Server that you should probably not leave on a production system unless your are making use of them and have properly secured their use. Two in particular that should be removed are: upload.pl and dumpenv.pl. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
