Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Crono <crono@THEPENTAGON.COM>
Subject:      WebServer Pro 2.3.7 Vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM

-- WebSite Pro 2.3.7 Vulnerability --

WebSite Pro is a Web Server for Win95/98/NT plataforms.

The vulnerability (or bad server administration) allow any user
to create arbitrary files with arbitrary text on the victim machine,
from
the Internet Web Browser.

By a default installation any user can create or uploads files to the
victim machine running a vulnerable version of WebSite Pro. The problem
is a bad "protection access" of the main directories on the machine.

In a default installation, WebServer Pro, create on him root directory
the
next directories readables (by default) from any user:

cgi-win
cgi-shl
cgi-src
cgi-temp

The problem is in the aplication called "uploader.exe" located on
/cgi-win
directory. In other versiones of WebSite Pro this directory is unable to
read from any user, but in these version, WebServer fail when check the
roots directories and the proper web-html directories.

For example, if we install WebServer Pro in c:\website, WebServer
create:

c:\website\cgi-win
c:\website\cgi-shl
c:\website\cgi-src
...

with various information and aplications inside.

We must choose a directory for own we web page (by default in
c:\website\htdocs), but, in these example, we will install we root
web directory in c:\mywebs\libros, so we have we index.html in
c:\mywebs\libros\index.html. In these directory only reside the
web page files, not cgi-win or other cgi directory...

Well, if we connect to the web server using a normal Internet Explorer,
and
we try to read a file that not exist in the directory, we find this
error message:

----------------------------------
GET www.victim.com/foo

404 Not Found

The requested URL was not found on this server:

/foo

(C:\mywebs\libros\foo)
----------------------------------

How we can see, WebServer revealed the real path of the webserver.
(Vulnerability published various mouths ago)

But if we try to access to cgi-win directory, automatically
and "magically" the
WebServer redirect us to the real cgi-win directory, located in
c:\website\cgi-win
Example:

-----------------------

GET www.victim.com/cgi-win

404 Not Found

The requested URL was not found on this server:

/cgi-win/

(C:\WebSite\cgi-win\)
------------------------------

How we can see, the WebServer say us that these directory dosn´t
exist...
but if we try to ejecute the default aplicacion "uploader.exe" located
in real cgi-win directory...

---------------------------------
GET www.victim.com/cgi-win/uploader.exe

WopS! we enter in a cgi web page that allow us to upload any file in
we machine to the remote machine.

This error in readable directories, is the same for cgi-shl and cgi-src.

In other version, if you define your root directories as
c:\mywebs\libros
you cann´t upload to parent directories and cann´t change to cgi-win
real directory.



Solution:

Change the permisions of cgi-win and other cgi
directories, or deleting uploader.exe.


I found these bug in WebServer Pro 2.3.7 version, I don´t know if early
versions are vulnerable too, but in 2.3.3 version, these bug don´t
exist.


Sorry for my english...

/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/

Bug found by Crono (Hispano Scene) crono@thepentagon.com

Aprovecho para saludar a la peña de #phreak, #hacker_novatos,
#hacking, y #hpcv.

24-8-2000 (Spain)
/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/