hi everybody, i wrote a plugin for this security problem the correct banner is "'IBM-HTTP-Server/1.0" working box (hope so): http://www.slc.sc.edu/borrowers/nmaddrinqchguse.htm "HTTP/1.0 200 OK Server: IBM-HTTP-Server/1.0 Date: Thu, 08 Nov 2001 18:53:14 GMT Accept-Ranges: bytes Content-Type: text/html Content-Length: 13465 Last-Modified: Fri, 12 May 2000 12:25:00 GMT Age: 7195 X-Cache: MISS from sgt2-t2-1.mcbone.net Connection: close" http://www.slc.sc.edu/borrowers/nmaddrinqchguse.htm/ "HTTP/1.0 200 OK Server: IBM-HTTP-Server/1.0 Date: Thu, 08 Nov 2001 18:53:36 GMT Accept-Ranges: bytes Content-Type: www/unknown <------------------ my trigger Content-Length: 13465 Last-Modified: Fri, 12 May 2000 12:25:00 GMT Age: 7195 X-Cache: MISS from sgt2-t2-1.mcbone.net Connection: close" http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=http%3A%2F%2F www.slc.sc.edu&submit=Examine Regards, Felix Huber ------------------------------------------------------- Felix Huber, Security Consultant, Webtopia Guendlinger Str.2, 79241 Ihringen - Germany huberfelixat_private (07668) 951 156 (phone) http://www.webtopia.de (07668) 951 157 (fax) (01792) 205 724 (mobile) ------------------------------------------------------- ----- Original Message ----- From: "'ken'@FTU" <franklin_tech_bulletinsat_private> To: "bugtraq" <bugtraqat_private> Sent: Thursday, November 08, 2001 3:41 PM Subject: IBM AS/400 HTTP Server '/' attack > IBM's HTTP Server on the AS/400 platform is vulnerable to an attack > that will show the source code of the page -- such as an .html or .jsp > page -- by attaching an '/' to the end of a URL. > > Compare these two URL's: > > http://www.foo.com/getsource.jsp > > http://www.foo.com/getsource.jsp/ > > The later URL will deliver the jsp source to the browser. > > I reported this problem to IBM approximately 9 or 10 months ago. > > I was told it was a bug but not a security vulnerability. When I > explained that Microsoft had a similar bug (asp dot bug) they told me > that "they did not share the same source code base." I replied to this > ludicrous reply: "Isn't it possible that since you developed servers > that function in a similar manner you have the same logical bug?" To > this they were speechless. I imagine that a .jsp page could contain user > names and passwords if they are accessing databases, especially if these > databases are on the network. > > By the way, the IBM HTTP server was derived from an early version of > Apache. I have not seen Apache servers vulnerable to this bug. > > Since I reported this "non-security" bug so long ago I hope it is fixed > through the regular set of changes. I cannot confirm this bug was fixed. > As far as I know this vulnerability was not yet reported to the public. > > 'ken' > > >
This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 13:30:09 PST