TUCoPS :: Web :: Servers :: zeus2.htm

Zeus Webserver 3.1.x CGI Source Code viewable
Vulnerability

    Zeus

Affected

    Zeus Web Server 3.1.x and 3.3.x

Description

    Vanja Hrustic found following.  Sources of CGI scripts (and  other
    files) can be read  by any user, if  the '%00' string is  appended
    to the  name of  the CGI  script.   Following strings  can also be
    appended in order to reveal the source:

        %G0
        %W0
        %EW
        %FG
        %UW
        %VG

    The Zeus Web server is vulnerable to a problem that allows  remote
    users to see the source of CGI scripts.  Any user can append '%00'
    to  the  name  of  the  CGI  script  and view the source. Files in
    directories  that  are  configured  to  contain executable scripts
    (/cgi-bin, for example) are not the subject to this problem.

    This happens  because the  mime-type of  '.cgi\0' does  not map to
    'application/x-httpd-cgi', so is instead served by the get  module
    as  'text/plain'.   The  webserver  will  ask  the OS for the file
    'script.cgi\0\0', and due to the zero-terminated string  interface
    of  Unix,  the  OS  will  actually  open 'script.cgi\0' instead of
    returning a "file-not-found" error.

Solution

    Zeus Web Server  3.3.5a is not  vulnerable.  The  fixed version is
    available at:

        ftp://ftp.zeustechnology.com/pub/products/z3

    All customers are advised to upgrade.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH