Vulnerability

    Zeus

Affected

    Zeus Web Server 3.1.x and 3.3.x

Description

    Vanja Hrustic found following.  Sources of CGI scripts (and  other
    files) can be read  by any user, if  the '%00' string is  appended
    to the  name of  the CGI  script.   Following strings  can also be
    appended in order to reveal the source:

        %G0
        %W0
        %EW
        %FG
        %UW
        %VG

    The Zeus Web server is vulnerable to a problem that allows  remote
    users to see the source of CGI scripts.  Any user can append '%00'
    to  the  name  of  the  CGI  script  and view the source. Files in
    directories  that  are  configured  to  contain executable scripts
    (/cgi-bin, for example) are not the subject to this problem.

    This happens  because the  mime-type of  '.cgi\0' does  not map to
    'application/x-httpd-cgi', so is instead served by the get  module
    as  'text/plain'.   The  webserver  will  ask  the OS for the file
    'script.cgi\0\0', and due to the zero-terminated string  interface
    of  Unix,  the  OS  will  actually  open 'script.cgi\0' instead of
    returning a "file-not-found" error.

Solution

    Zeus Web Server  3.3.5a is not  vulnerable.  The  fixed version is
    available at:

        ftp://ftp.zeustechnology.com/pub/products/z3

    All customers are advised to upgrade.