OSU 敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193444 漏洞类型 未知
发布时间 2006-09-20 更新时间 2006-09-20
CVE编号 CVE-2006-4907 CNNVD-ID CNNVD-200609-364
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/84192
https://cxsecurity.com/issue/WLB-2006090130
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-364
|漏洞详情
OSU3.11alpha和3.10a远程攻击者通过不存在的文件的URL,在产生的错误消息中显示Web根目录路径,从而获取敏感信息。
|漏洞EXP
         *** rfdslabs security advisory ***

Title: OSU httpd for OpenVMS path and directory disclosure - is this a bug or a feature? [RLSA_02-2006]

Versions: OSU/3.11alhpa, OSU/3.10a (probably others)

Vendor: David Jones, Ohio State University

(http://www.ecr6.ohio-state.edu/www/doc/serverinfo.html)

Date: 18 May 2006

Authors: Julio Cesar Fort <julio *NO_SPAM* rfdslabs com br>

Iruata Souza, the VMS freak <iru.muzgo *NO_SPAM* gmail com>

September 18th: HAPPY BIRTHDAY, MUZGO! :D

1. Introduction

OSU is a http server for Compaq/HP (rest in peace, DEC) OpenVMS operating system. It supports a wide variety of TCP stacks for VMS like UCX, MultiNet, among others. Besides this OSU supports CGI (written in DCL), SSI and many others.

2. Details

2.1 - Path disclosure (tested on OSU 3.11)

This one is pretty simple. If one requests a non-existant file to the server it simply returns like this:

Error:

File /staff$disk/www_server/home/NONEXISTANT (/NONEXISTANT) could not be opened VMS especification:

staff$disk:[www_server.home]NONEXISTANT index.url present

Exposing path information that, in our opinion, should not be exposed.

2.2 - Directory and file disclosure

This occurs by the faulty handling of wildcards (VMS '*' char) on URL specifications as in:

http://muzgo.is.a.freak.foo.bar/a*/

Which leads to the content of the first directory starting with the letter 'a' being shown

and totally browsable. Sometimes there might be hidden or useful information:

----------------------------

| Files                    |

|                          |

| ACRAPPY.DOC{stat error}  |

| APROGRAM.EXE{stat error} |

| AN.OBJ{stat error}       |

| PR0N.XXX{stat error}     |

----------------------------

Just a single click and you can view the content or download the exposed files. A smart attacker (not brazilian kiddies, of course) could create a very simple script to perform brute-force attack to guess directory names and access them directly.

3. Solution

Nothing yet.

4. Timeline

Apr 2006: Vulnerability detected;

18 May 2006: Advisory written;

09 Jun 2006: Vendor contacted;

09 Jul 2006: No response from vendor;

18 Sep 2006: Advisory released.

Thanks to barrossecurity.com, gotfault.net brothers, risesecurity.org, Lucien Rocha, Victor Galante, and friends everywhere.

Iruata Souza also would like to thank Diego Casati.

www.rfdslabs.com.br - computers, sex, human mind, music and more.

Recife, PE, Brazil
|受影响的产品
Ohio State University Osu Httpd 3.11Alpha Ohio State University Osu Httpd 3.10A
|参考资料

来源:XF
名称:osu-httpd-error-path-disclosure(29031)
链接:http://xforce.iss.net/xforce/xfdb/29031
来源:BUGTRAQ
名称:20060918[RLSA_02-2006]OSUhttpdforOpenVMSpathanddirectorydisclosure-isthisabugorafeature?
链接:http://www.securityfocus.com/archive/1/archive/1/446372/100/0/threaded
来源:SECUNIA
名称:22016
链接:http://secunia.com/advisories/22016
来源:SREASON
名称:1602
链接:http://securityreason.com/securityalert/1602