HTTP Potential Problems

Impact

The web server contains an application which may have a vulnerability. If the vulnerability is present, an unauthorized user could read files, change files, or execute commands on the server.

Background

The HyperText Transport Protocol (HTTP) allows a client to access HTML pages and other web applications using a web browser. HTTP servers contain programs which perform functions on the server at the request of the client (when a form is submitted, for example), and transmit results to the client's browser in the form of an HTML page.

The Problems

Various programs which may be installed with certain Web servers are vulnerable to exploitation. These include:

piranha/secure/passwd.php3:
Piranha is a utility which comes with Red Hat Linux for administering the Linux Virtual Server. It comes with a default backdoor password which could allow unauthorized access to the Graphical User Interface (GUI). By exploiting vulnerabilities in the tools that come with the GUI, an attacker who knows the backdoor password could execute arbitrary commands on the server. Any server which has piranha-gui 0.4.12 installed, which is the default for Red Hat 6.2, is vulnerable.

cart32.exe:
This program is part of Cart 32, an E-Commerce Shopping Cart application. By default, it has a backdoor password of "wemilo". An attacker who knows this password could view a list of client passwords using an undocumented URL such as http://hostname/scripts/cart32.exe/cart32clientlist. The hashed client passwords could be used to execute arbitrary commands on the server using a specially crafted URL.

emurl/RECMAN.dll:
CVE 2000-0397
SeattleLab's Emurl 2.0 and earlier versions authenticate users with a simple ASCII encoding scheme based on the user's login name. This makes it possible to read other users' mail, reconfigure their accounts, or steal their POP passwords.

guestbook:
CVE 1999-0237
Selena Sol's guestbook CGI program could allow an attacker to execute arbitrary commands on the server if server side includes are enabled.

excite:
CVE 1999-0279
Excite for Web Servers does not sufficiently check queries for special characters before passing them to a shell. It is possible for a remote attacker to execute arbitrary commands on the server by exploiting this condition. Excite 1.1 for either Unix or Windows NT is affected by this vulnerability if patches have not been applied after 1/16/98.

site/eg/source.asp:
Apache::ASP comes with a sample script which can be exploited to write to files in the same directory as the script. Versions prior to 1.95 are vulnerable.

w3-msql:
CVE 2000-0012
Mini SQL has a buffer overflow condition which could allow a remote attacker to execute arbitrary commands on the server. Versions 2.0.4.1 through 2.0.11 for Unix and Linux are affected by this vulnerability.

wais.pl:
This script is a web interface to the waisq client. A vulnerability in wais.pl could allow a remote user to set command-line options through input parameters, thereby overwriting files on the server. This vulnerability also exposes a buffer overflow condition in waisq.

Resolutions

piranha/secure/passwd.php3:
Upgrade the piranha-gui package to version 0.4.13-1 or higher.

cart32.exe:
Using a hex editor, change the backdoor password (found at 0x6204h) to something else. Also change the permissions on c32web.exe so that it is only accessible by administrators. This will prevent unauthorized users from executing arbitrary commands using a specially crafted URL. Alternatively, apply the patch developed by L0pht.

emurl/RECMAN.dll:
Replace Emurl with a version higher than 2.0.

guestbook:
Disable server side includes. If this is not possible, or for additional security protection, make the following changes to the guestbook setup file:

excite:
Install the patch.

site/eg/source.asp:
Either delete the script, or upgrade to Apache::ASP version 1.95 or higher.

w3-msql:
Apply the patch which can be found in the X-Force Advisory.

wais.pl:
In waisq.pl, change @query to $pquery at the end of the line that begins with "open(WAISQ". As an additional precaution, recompile waisq with the following change in the source code:

char pathname[MAX_FILENAME_LEN+1];
to
char pathname[MAX_FILENAME_LEN*2+1];

Where can I read more about this?

piranha/secure/passwd.php3:
See the X-Force advisory.

cart32.exe:
See the Cerberus Advisory.

emurl/RECMAN.dll:
See the Bugtraq posting.

guestbook:
See the X-Force Advisory.

excite:
See the X-Force Advisory.

site/eg/source.asp:
See the Bugtraq posting.

w3-msql:
See the X-Force Advisory.