Sambar Technologies Security

Security Alerts

Cross-Site Scripting Bug

Several cross-site scripting security holes were identified in the 6.2 production release by Jamie Fisher. These vulnerabilities are fixed in the 6.2.1 patch releases for Windows and Linux. The vulnerabilities targeted the search and logout features.

Stack Overflow (SMUDGE)

Ned (nd@felinemenace.org) reported a stack overflow vulnerability in Sambar Server 6.0 utilizing a tool called SMUDGE. This vulnerability does not appear to exist in the 6.0 production release. A vulnerability in the /search/results.stm page did exist prior to the 6.0 production release.

Multiple Vulnerabilities from idefense.com

David Endler of idefense.com has reported multiple security vulnerabilities in the Sambar Server. All have been verified; many thanks David! Defenses are outlined below (and should be applied to all versions of the Sambar Server). All of these issues have been fixed in the 6.0 beta 6 release (or earlier).

/cgi-bin/testcgi.exe should be removed (shipped in 5.X releases).
testisa.dll should be removed (shipped in 5.X releases.)
samples/search.dll should be removed (shipped in 5.x releases.)
/cgi-bin/environ.pl, /cgi-bin/mortgage.pl, /cgi-bin/book.pl and /cgi-bin/dumpenv.pl should be removed (shipped prior to 6.0 beta 6.)
/samples/*.shtml should be removed (shipped prior to 6.0 beta 6.)
The auto-execution of .pl CGI scripts can be exploited to attack Windows devices (prior to the 6.0 beta 3). The config.ini parameter Perl Executable should be removed and perl scripts specified using the #! directive at the top of the CGI script.
The HTTP Proxy server (prior to 6.0 beta) contains a significant security vulnerability; all 5.x proxy servers should be disabled or you should disallow 127.0.0.1 via a proxydeny entry in the security.ini file.

HTTP CGI-BIN Vulnerability

The sample application search.pl that ships with the sambar server includes a buffer-overflow vulnerability. This was closed in the 6.0 beta 3 release (by disallowing script execution by anyone other than "localhost"). This script should be removed from all production servers; it will not be shipped with future releases of the server.

Linux HTTP Server Vulnerability

The Linux 6.0 Beta 3 HTTP server has a security vulnerability associated with file access. Please add the character tilde (~) to the "Invalid Characters" list in the config.ini file. This security vulnerability is closed in the latest preview release of the Linix server. This does not effect the Windows release.

Buffer Overflow on /session/login

A bug report on fulldisclosure.org incorrectly indicated that all versions of the Sambar Server are vulnerable to a buffer-overflow attack on /session/login. This is not correct; the 5.3 production server is not vulnerable to this attack. Prior versions of the server may be at risk, but the author of the original report has not been responsive to queries as to his claims.

Cross-Site Scripting and CGI Vulnerabilities

All Sambar Server release prior to 5.3 contain several cross-site scripting vulnerability reported by Gregory Le Bras at security-corp.org. This vulnerability has been confirmed and is considered minor at this time. The vulnerabilities have been fixed in the 6.0 beta 1 release and can be address in the 5.3 production release by using the RC@striphtml or RC@txt2html scalar around the variables documented in the bug report.

The CGI scripts documented in the bug report should be removed before putting the server in production. They have been removed or secured in the 6.0 beta 1 release. Finally, the cross-site scripting vulnerabilities of the forms in the /sysuser section should be secured by requiring a valid user login to utilize those pages (again, this has been done in the 6.0 beta 1 release).

Mail Server Security Alert

A bug was introduced in the 5.3 beta 2 release relating to the "Relay IPs" feature found in the mail.ini configuration file. If you are a user of this feature, please return to the 5.2 production or upgrade to the 5.3 beta 3 preview 1 release or later.

There is a bug in the mail server prior to 5.0 production that results in the SMTP server acting as an open relay if the Restrict Relay IPs configuration parameter is set. With either the Restrict Relay = true or Require AUTH = true parameters, the Restrict Relay IPs is likely unnecessary.

WWW Server Security Alert

All releases prior to the 5.2 production release are vulnerable to a DOS attack against DOS devices. While many DOS devices were properly secured, several were not. In addition, the 5.2 production release includes the OpenSSL 0.9.6g release that fixes a buffer-overflow bug in the SSL library.

All releases prior to the 5.2 beta 1 release are vulnerable to having the source code associated with CGI scripts and JSP files exposed via an URL sequence.

All releases prior to the 5.1 production release are subject to a DOS attack resulting from a manipulation of the login URL. In addition, an attach on a specific HTTP header can crash the server. Finally, the cgi-win samples shipped with all releases prior to the 5.1 production release were vulnerabile to a security attach. These bugs were reported by Mark Litchfield of NGS Software (many thanks!).

The 5.1 Beta 2, 3 and 4 releases are subject to a crash due to a bug in the server-side include processing of the "echo" DOCUMENT_ROOT command. This has been fixed in the latest preview release (3/17/2002) and the 5.1 beta 5 release.

All versions of the Sambar WWW Server prior to the 5.1 Beta 4 release are vulnerable to a reported DoS attack against the /cgi-win/cgitest.exe sample application. (Reported by Tamer Sahin at www.securityoffice.net). This sample application should be removed from your cgi-win directory (it will be removed from subsequent releases of the server and the CGI-WIN security vulnerability closed.)

All versions of the Sambar WWW Server prior to the 5.0 production release are vulnerable to a bug in the /isapi/testisa.dll sample pplication that allows users to display the contents of files outside the Documents Directory. This sample DLL should be removed from production servers.

All versions of the Sambar WWW Server prior to the 5.0 production release are vulnerable to a SSI bug that allows users to use the "#include file" functionality to display the contents of files outside the Documents Directory. This exploit can only be used by users that have access to upload .shtml files to the server.

All versions of the Sambar WWW Server with the exception of 5.0 beta 5 and later releases have a security vulnerability associated with the pagecount sample code. Please immediately comment out the following line in your config.ini and restart your server (or upgrade to 5.0 beta 5):

INIT = samples.dll:general_init

This will disable the pagecount RPC/scalar. A patch for this bug will be released during the week of 6/20.

The 4.2 and 4.3 production releases contain a vulnerability in the netutils sample code shipped with the server. A buffer-overrun exploit can be used against the "finger" RPC. A fix for this bug is being prepared and should be available the week of 6/12/2000. In the meantime, you should modify your config.ini and comment out the line: INIT = samples.dll:netutils_init. This will disable the network utility samples and remove this exploit.

In addition, a security hole has been found in the 4.3 production release that can allow .htm and .html files in a directory secured by .htaccess constraints to be accessed via browser. To exploit this hole, a user must know the file name in the secured directory. This hole can be secured by using the security.ini file to secure the directory and/or by renaming any .htm or .html files in the .htaccess secured directory to .stm. The 4.4 beta 1 release includes a fix for this vulnerability. Many thanks to Melvyn Sopacua and James Wright for bringing this bug to my attention.