TUCoPS :: Web :: Servers :: b06-4798.htm

OSU httpd for OpenVMS path and directory disclosure - is this a bug or a feature?
OSU httpd for OpenVMS path and directory disclosure - is this a bug or a feature?
OSU httpd for OpenVMS path and directory disclosure - is this a bug or a feature?



         *** rfdslabs security advisory ***=0D
=0D
Title: OSU httpd for OpenVMS path and directory disclosure - is this a bug or a feature? [RLSA_02-2006]=0D
Versions: OSU/3.11alhpa, OSU/3.10a (probably others)=0D
Vendor: David Jones, Ohio State University=0D
(http://www.ecr6.ohio-state.edu/www/doc/serverinfo.html)=0D 
Date: 18 May 2006=0D
=0D
Authors: Julio Cesar Fort =0D
         Iruata Souza, the VMS freak =0D
=0D
   September 18th: HAPPY BIRTHDAY, MUZGO! :D=0D
=0D
1. Introduction=0D
=0D
   OSU is a http server for Compaq/HP (rest in peace, DEC) OpenVMS operating system. It supports a wide variety of TCP stacks for VMS like UCX, MultiNet, among others. Besides this OSU supports CGI (written in DCL), SSI and many others.=0D
=0D
2. Details=0D
=0D
 2.1 - Path disclosure (tested on OSU 3.11)=0D
=0D
    This one is pretty simple. If one requests a non-existant file to the server it simply returns like this:=0D
=0D
    Error:=0D
    File /staff$disk/www_server/home/NONEXISTANT (/NONEXISTANT) could not be opened VMS especification:=0D
staff$disk:[www_server.home]NONEXISTANT index.url present=0D
=0D
    Exposing path information that, in our opinion, should not be exposed.=0D
=0D
=0D
 2.2 - Directory and file disclosure=0D
=0D
    This occurs by the faulty handling of wildcards (VMS '*' char) on URL specifications as in:=0D
=0D
http://muzgo.is.a.freak.foo.bar/a*/=0D 
=0D
    Which leads to the content of the first directory starting with the letter 'a' being shown=0D
and totally browsable. Sometimes there might be hidden or useful information:=0D
=0D
    ----------------------------=0D
    | Files                    |=0D
    |                          |=0D
    | ACRAPPY.DOC{stat error}  |=0D
    | APROGRAM.EXE{stat error} |=0D
    | AN.OBJ{stat error}       |=0D
    | PR0N.XXX{stat error}     |=0D
    ----------------------------=0D
=0D
    Just a single click and you can view the content or download the exposed files. A smart attacker (not brazilian kiddies, of course) could create a very simple script to perform brute-force attack to guess directory names and access them directly.=0D
=0D
=0D
3. Solution=0D
=0D
    Nothing yet.=0D
=0D
=0D
4. Timeline=0D
=0D
     Apr 2006: Vulnerability detected;=0D
  18 May 2006: Advisory written;=0D
  09 Jun 2006: Vendor contacted;=0D
  09 Jul 2006: No response from vendor;=0D
  18 Sep 2006: Advisory released.=0D
=0D
Thanks to barrossecurity.com, gotfault.net brothers, risesecurity.org, Lucien Rocha, Victor Galante, and friends everywhere.=0D
Iruata Souza also would like to thank Diego Casati.=0D
=0D
www.rfdslabs.com.br - computers, sex, human mind, music and more.=0D 
Recife, PE, Brazil

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH