==>> 403 Security Lab <<== www.403-security.org Advisory ID: 403-05-2001 ------------------------------------------------- Advisory Name: Remote vulnerabilities in OmniHTTPd Release Date: 26.05.2001 Application: OmniHTTPd Platform: Tested on Windows2000 only Author: Astral <astral@403-security.org> Vendor: www.omnicron.ca ------------------------------------------------- 1. About OmniHTTPd 2. PHP d.o.s. 3. Scripts source disclosure 4. Vendor response 5. Greets 1. About OmniHTTPd From official web site: In addition to Standard CGI support, the server sports advanced features such as Keep-Alive connections, table auto-indexing and server-side includes. For maximum performance, OmniHTTPd is both 32-bit and multi- threaded --------------------------------------------------------// 2. PHP d.o.s. ABSTRACT: PHP is an open source, server-side, cross-platform, HTML embedded scripting language. PHP is a good alternative to ASP because native support is not limited to servers running IIS on Windows NT. The PHP libraries provide good support for tasks like SQL and LDAP operations. OmniHTTPd supports PHP scripts but it has two vulnerabilites. Both are connected with way OmniHTTPd processes them. DESCRIPTION: If malicious user sends lot requests to some existing or non-existing PHP script on web-server it will consume 100% percent of processor speed. Why this happens ? Every time you send request for PHP script, OmniHTTPd server starts PHP.exe and then tries to run script rather then making it memory-resident. Severity: d.o.s. ---------------------------------------------------------// 3. Scripts source disclosure DESCRIPTION: This one is much more dangerous. It allows anyone to view source of scripts. This vulnerability is similar to ones Microsoft had problems with. It is possible to make OmniHTTPd think .php;.shtml;.pl is ordinary HTML document. How ? By adding space UNICODE character which is %20 OmniHTTPd will identify any script as HTML file and it will send script source back to client. Exploit: GET /somefuckingboringphpscript.php%20% 20 HTTP/1.1 Severity: Disclosure of script source ---------------------------------------------------------// 4. Vendor Response Vendor didn't response to us ... 5. Greetz rfp, eEye, Luka, d-R
This archive was generated by hypermail 2b30 : Sat May 26 2001 - 10:09:21 PDT