Remote vulnerabilities in OmniHTTPd

From: astral@403-security.org
Date: Fri May 25 2001 - 17:00:32 PDT

Next message: ByteRage: "WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS"

Previous message: Linux Mandrake Security Team: "MDKSA-2001:052 - ncurses update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

			==>> 403 Security Lab 
<<==
		           www.403-security.org
			

Advisory ID: 403-05-2001

-------------------------------------------------
Advisory Name: Remote vulnerabilities in OmniHTTPd
Release Date: 26.05.2001
Application: OmniHTTPd
Platform: Tested on Windows2000 only
Author: Astral <astral@403-security.org>
Vendor: www.omnicron.ca
-------------------------------------------------

1. About OmniHTTPd
2. PHP d.o.s.
3. Scripts source disclosure
4. Vendor response
5. Greets


1. About OmniHTTPd

From official web site:
In addition to Standard CGI support, the server
sports advanced features such as Keep-Alive 
connections,
table auto-indexing and server-side includes. For 
maximum
performance, OmniHTTPd is both 32-bit and multi-
threaded

--------------------------------------------------------//

2. PHP d.o.s.

ABSTRACT:


PHP is an open source, server-side, cross-platform, 
HTML
embedded scripting language. PHP is a good 
alternative to
ASP because native support is not limited to servers 
running
IIS on Windows NT. The PHP libraries provide good 
support
for tasks like SQL and LDAP operations.


OmniHTTPd supports PHP scripts but it has two
vulnerabilites. Both are connected with way
OmniHTTPd processes them.


DESCRIPTION:

If malicious user sends lot requests to some existing 
or
non-existing PHP script on web-server
it will consume 100% percent of processor speed. 
Why this
happens ?

Every time you send request for PHP script, 
OmniHTTPd server
starts PHP.exe and then tries to run script
rather then making it memory-resident.

Severity: d.o.s.

---------------------------------------------------------//

3. Scripts source disclosure

DESCRIPTION:
This one is much more dangerous. It allows anyone 
to view
source of scripts. This vulnerability is similar to ones
Microsoft had problems with.

It is possible to make OmniHTTPd 
think .php;.shtml;.pl is
ordinary HTML document. How ?

By adding space UNICODE character which is %20 
OmniHTTPd
will identify any script as HTML file and it will send
script source back to client.

Exploit: GET /somefuckingboringphpscript.php%20%
20 HTTP/1.1
Severity: Disclosure of script source

---------------------------------------------------------//

4. Vendor Response

Vendor didn't response to us ...

5. Greetz
rfp, eEye, Luka, d-R

Next message: ByteRage: "WFTPD 32-bit (X86) 3.00 R5 Directory Traversal / Buffer Overflow / DoS"
Previous message: Linux Mandrake Security Team: "MDKSA-2001:052 - ncurses update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat May 26 2001 - 10:09:21 PDT