Vulnerability

    sambar

Affected

    Win 95, NT

Description

    Michiel de  Weerd found  how Sambar  Server Beta's  have a serious
    bug.  It is possible to view  the victim's HDD.  Asume you find  a
    computer  running  Sambar  Server  by  searching the Internet with
    these key-words: +sambar +server +v4.1

    If you find a site like: http://www.site.net/ then do a test,  run
    a little perl script...

        http://www.site.net/cgi-bin/dumpenv.pl

    Now  you  see  the  complete  environment of the victims computer,
    including his path. Now you can try to login as the  administrator
    by this url:

        http://www.site.net/session/adminlogin?RCpage=/sysadmin/index.stm

    The default login is: admin and the default password is blank.  If
    the victim hasn't  changed his settings,  you now can  control his
    server.  Another feature is to view the victims HDD.  If you  were
    able to  run the  perl script  you should  also be  able (in  most
    cases)  to  view  directory's  from  his  path.  Most  people have
    c:/program files and c:/windows in the path line, so what you  can
    do is:

        http://www.site.net/c:/program files/sambar41

    There is also  a buffer overrun  in the logging  code and a  MAJOR
    hole  in  the  mailit  script  that  allow for remote execution of
    system commands.

Solution

    1) Upgrade to a non-beta version of Sambar Server.
    2) Don't  alow directory  browsing if  index.html or  default.html
       isn't found.
    3) Change  the  admin  username  and password before someone  else
       changes it for you.