Vulnerability

    Sambar

Affected

    Sambar server 4.4 Beta 3

Description

    Guido Bakker  found following.   The Sambar  Server comes  with  a
    non-caching  HTTP  proxy  server  and  basic SMTP, POP3, and IMAP4
    proxy  servers  compiled  in.   Sambar  was  created  to  test   a
    three-tier communication infrastructure  modeled after the  Sybase
    Open  Client/Open   Server.    Originally  developed   on  a   Sun
    Workstation  (UNIX),  it  was  ported  to  the PC (Windows 32) and
    licensed for commercial purposes.

    The vulnerability  occurs in  the search.dll  Sambar ISAPI  Search
    shipped with  this product.   This dynamic  link loader  does  not
    check  on  the  'query'  parameter  that  is parsed to the server,
    therefore by constructing a malformed URL we are able to view  the
    contents of the  server, all folders,  and files.   Thanks also to
    USSR Labs for further testing.

    All that is  needed is a  malformed query parameter  parsed to the
    search.dll file.

        http://server-running-sambar.com/search.dll?search?query=%00&logic=AND

    .. this will reveal the current working directory contents.

        http://server-running-sambar.com/search.dll?search?query=/&logic=AND

    .. this will reveal the root dir of the server.

Solution

    The  vendor  of  Sambar  Technologies  has been contacted, so wait
    until a patched version comes out.