hi everybody,
i wrote a plugin for this security problem
the correct banner is "'IBM-HTTP-Server/1.0"
working box (hope so):
http://www.slc.sc.edu/borrowers/nmaddrinqchguse.htm
"HTTP/1.0 200 OK
Server: IBM-HTTP-Server/1.0
Date: Thu, 08 Nov 2001 18:53:14 GMT
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 13465
Last-Modified: Fri, 12 May 2000 12:25:00 GMT
Age: 7195
X-Cache: MISS from sgt2-t2-1.mcbone.net
Connection: close"
http://www.slc.sc.edu/borrowers/nmaddrinqchguse.htm/
"HTTP/1.0 200 OK
Server: IBM-HTTP-Server/1.0
Date: Thu, 08 Nov 2001 18:53:36 GMT
Accept-Ranges: bytes
Content-Type: www/unknown <------------------ my trigger
Content-Length: 13465
Last-Modified: Fri, 12 May 2000 12:25:00 GMT
Age: 7195
X-Cache: MISS from sgt2-t2-1.mcbone.net
Connection: close"
http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=http%3A%2F%2F
www.slc.sc.edu&submit=Examine
Regards,
Felix Huber
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
----- Original Message -----
From: "'ken'@FTU" <franklin_tech_bulletins@yahoo.com>
To: "bugtraq" <bugtraq@securityfocus.com>
Sent: Thursday, November 08, 2001 3:41 PM
Subject: IBM AS/400 HTTP Server '/' attack
> IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
> that will show the source code of the page -- such as an .html or .jsp
> page -- by attaching an '/' to the end of a URL.
>
> Compare these two URL's:
>
> http://www.foo.com/getsource.jsp
>
> http://www.foo.com/getsource.jsp/
>
> The later URL will deliver the jsp source to the browser.
>
> I reported this problem to IBM approximately 9 or 10 months ago.
>
> I was told it was a bug but not a security vulnerability. When I
> explained that Microsoft had a similar bug (asp dot bug) they told me
> that "they did not share the same source code base." I replied to this
> ludicrous reply: "Isn't it possible that since you developed servers
> that function in a similar manner you have the same logical bug?" To
> this they were speechless. I imagine that a .jsp page could contain user
> names and passwords if they are accessing databases, especially if these
> databases are on the network.
>
> By the way, the IBM HTTP server was derived from an early version of
> Apache. I have not seen Apache servers vulnerable to this bug.
>
> Since I reported this "non-security" bug so long ago I hope it is fixed
> through the regular set of changes. I cannot confirm this bug was fixed.
> As far as I know this vulnerability was not yet reported to the public.
>
> 'ken'
>
>
>
i wrote a plugin for this security problem
the correct banner is "'IBM-HTTP-Server/1.0"
working box (hope so):
http://www.slc.sc.edu/borrowers/nmaddrinqchguse.htm
"HTTP/1.0 200 OK
Server: IBM-HTTP-Server/1.0
Date: Thu, 08 Nov 2001 18:53:14 GMT
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 13465
Last-Modified: Fri, 12 May 2000 12:25:00 GMT
Age: 7195
X-Cache: MISS from sgt2-t2-1.mcbone.net
Connection: close"
http://www.slc.sc.edu/borrowers/nmaddrinqchguse.htm/
"HTTP/1.0 200 OK
Server: IBM-HTTP-Server/1.0
Date: Thu, 08 Nov 2001 18:53:36 GMT
Accept-Ranges: bytes
Content-Type: www/unknown <------------------ my trigger
Content-Length: 13465
Last-Modified: Fri, 12 May 2000 12:25:00 GMT
Age: 7195
X-Cache: MISS from sgt2-t2-1.mcbone.net
Connection: close"
http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=http%3A%2F%2F
www.slc.sc.edu&submit=Examine
Regards,
Felix Huber
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
----- Original Message -----
From: "'ken'@FTU" <franklin_tech_bulletins@yahoo.com>
To: "bugtraq" <bugtraq@securityfocus.com>
Sent: Thursday, November 08, 2001 3:41 PM
Subject: IBM AS/400 HTTP Server '/' attack
> IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
> that will show the source code of the page -- such as an .html or .jsp
> page -- by attaching an '/' to the end of a URL.
>
> Compare these two URL's:
>
> http://www.foo.com/getsource.jsp
>
> http://www.foo.com/getsource.jsp/
>
> The later URL will deliver the jsp source to the browser.
>
> I reported this problem to IBM approximately 9 or 10 months ago.
>
> I was told it was a bug but not a security vulnerability. When I
> explained that Microsoft had a similar bug (asp dot bug) they told me
> that "they did not share the same source code base." I replied to this
> ludicrous reply: "Isn't it possible that since you developed servers
> that function in a similar manner you have the same logical bug?" To
> this they were speechless. I imagine that a .jsp page could contain user
> names and passwords if they are accessing databases, especially if these
> databases are on the network.
>
> By the way, the IBM HTTP server was derived from an early version of
> Apache. I have not seen Apache servers vulnerable to this bug.
>
> Since I reported this "non-security" bug so long ago I hope it is fixed
> through the regular set of changes. I cannot confirm this bug was fixed.
> As far as I know this vulnerability was not yet reported to the public.
>
> 'ken'
>
>
>
Attached Files:
-
ibm_server_code.nasl (1.90 KB)
-
02-ibm_server_code.nasl (1.90 KB)