COMMAND

	
		A DB4Web component allows files on the server to be downloaded
	
	

SYSTEMS AFFECTED

	
		?
	
	

PROBLEM

	
		Stefan              Bagdohn              [stefan.bagdohn@guardeonic.com]
		[buggy@segmentationfault.de] says :
		

		A DB4Web (R) server accessed with a webbrowser  usually  requests  local
		or remote databases  to  generate  dynamic  html  pages.  By  requesting
		malicious URLs one can manipulate the  server  application  to  disclose
		files located on the server system. The browser will download  them  and
		(according to the mime-type)  show  them  directly  within  the  browser
		window. The db4web_c binary  (on  Unix/Linux  systems)  or  db4web_c.exe
		binary  (on  MS  Windows)  is  located  within  the  cgi-bin   (scripts)
		directory of the  webserver  on  the  DB4Web  (R)  system.  This  binary
		executes  the  database  query  and  is  accessibly   by   the   clients
		webbrowser.
		

		Example:
		

		On MS Windows systems the URL to retrieve the boot.ini file  would  look
		like:
		

		http://db4web.server.system/scripts/db4web_c.exe/dbdirname/c%3A%5Cboot.ini

		

		On Linux/Unix servers the following URL will show /etc/hosts:
		

		http://db4web.server.system/cgi-bin/db4web_c/dbdirname//etc/hosts

		

		In the above examples db4web.server.system means the Name or IP  address
		of the server, dbdirname ist the name of the  local  database  directory
		and %3A%5C is the representation of :\ needed to access c:\boot.ini.
		

		One can also download files, cmd.exe for example, by requesting
		

		c%3A%5Cwinnt%5Csystem32%5Ccmd.exe

		
	
	

SOLUTION

	
		The DB4Web team provided an update of their software and notified  their
		customers about the problem. The patches can be found at:
		

		http://www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2025 AOH