OSU is "a http server for Compaq/HP (rest in peace, DEC) OpenVMS operating system. It supports a wide variety of TCP stacks for VMS like UCX, MultiNet, among others. Besides this OSU supports CGI (written in DCL), SSI and many others". Two security vulnerability have been discovered in OpenVMS's OSU HTTP server, allowing remote attackers to disclose the path/directory of the remote server.
Path disclosure (tested on OSU 3.11):
This one is pretty simple. If one requests a non-existent file to the server it simply returns like this:
Error: File /staff$disk/www_server/home/NONEXISTANT (/NONEXISTANT) could not be opened VMS specification: staff$disk:[www_server.home]NONEXISTANT index.url present
Exposing path information that, in our opinion, should not be exposed.
Directory and file disclosure:
This occurs by the faulty handling of wildcards (VMS '*' char) on URL specifications as in: http://muzgo.is.a.freak.foo.bar/a*/
Which leads to the content of the first directory starting with the letter 'a' being shown and totally browsable. Sometimes there might be hidden or useful information:
Just a single click and you can view the content or download the exposed files. A smart attacker could create a very simple script to perform a brute-force attack to guess directory names and access them directly.
Disclosure Timeline:
Apr 2006: Vulnerability detected;
18 May 2006: Advisory written;
09 Jun 2006: Vendor contacted;
09 Jul 2006: No response from vendor;
18 Sep 2006: Advisory released.
