Zeus Web Server: Null Terminated Strings

From: Julian Midgley (jmidgleyat_private)
Date: Tue Feb 08 2000 - 04:49:04 PST

Next message: Chicken Man: "Novell BorderManager 3.5 Remote Slow Death"

Previous message: Craig Brozefsky: "Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This morning Zeus Technology Limited was informed of a serious security
bug in the Zeus Webserver by 'The Relay Group' (http://relaygroup.com).

This document describes the scope of the problem and its solution.


Versions affected
-----------------

 Zeus 3.1.x / 3.3.x



Severity
--------

High- this bug allows the contents of CGI scripts to be read by a remote
client, if the scripts are run with the CGI module's "allow CGIs
anywhere" option enabled.

It does not affect CGIs run from designated directories (cgi-bins).
Nonetheless, we recommend that all customers upgrade to Zeus 3.3.5a- see
below for further details.


Description
-----------

Requests for URLs which contains the text '%00' are decoded to contain
a null-terminator.  This means that files can be accessed via URLs
that are not access controlled, allowing files that are *inside* the
document root to be retrieved.

For example, if you run a webserver with the 'allow CGI anywhere' option,
and have a Perl CGI script inside the document root accessible as
'http://mysite/script.cgi' then a request for
'http://mysite/script.cgi%00' will cause the webserver to return the Perl
source of the CGI script to the client.

This happens because the mime-type of '.cgi\0' does not map to
'application/x-httpd-cgi', so is instead served by the get module as
'text/plain'.  The webserver will ask the OS for the file
'script.cgi\0\0', and due to the zero-terminated string interface of
Unix, the OS will actually open 'script.cgi\0' instead of returning a
"file-not-found" error.


Problem Solution
----------------

We have fixed the problem in the latest version of Zeus (3.3.5a) now
available for all 14 platforms from our ftp site
ftp://ftp.zeustechnology.com/pub/products/z3.

This version will report itself as '3.3.5a' and also
display today's (8th Feb) date on startup.

Download the distribution for your platform, untar it, and run
'./zinstall --force' and it will seamlessly upgrade your running
server to the fixed release.


--
Julian Midgley                                Tel: +44 1223 525000
Technical Services Manager                    Fax: +44 1223 525100
Zeus Technology Ltd                  http://www.zeustechnology.com
Newton House, Cambridge Business Park, Cambridge. CB4 OWZ. England

Next message: Chicken Man: "Novell BorderManager 3.5 Remote Slow Death"
Previous message: Craig Brozefsky: "Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:53 PDT