|
Brought to you by:
Suppliers of:
|
|
|
| |
| Gattaca Server is "A high performance Windows NT based Mail and Web Server software for building own intranet". |
| |
Credit:
The information has been provided by Gregory Le Bras.
|
| |
Directory Content Disclosure:
By sending a GET with two slashes ("//"), the server will display the directory's content instead of the default web page.
Example:
http://[target]//
Denial of Service:
A security vulnerability in the server allows remote and local attackers to cause the server to crash by issuing a specific command (LLIST) with a buffer that exceeds 1048 bytes.
$> LLIST AAAA...[1024]...AAAA
Directory Traversal:
Due to incorrect filtering of user provided data, a remote attacker can cause the server to return the content of files that reside outside the HTML's bounding path.
http://[target]/view.tmpl?testfile=../../winnt/win.ini
Cross Site Scripting:
Due to incorrect filtering of user provided data, a remote attacker can cause the product to return malicious HTML/JavaScript as if it were the web server data.
http://[target]/view2.tmpl?text=[hostile_code]
The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]
Vendor response(s) and Workarounds:
Directory Content Disclosure:
There are two ways to prevent this issue:
1) Open in notepad the following file %systemroot%\gattaca.ini, in it find the following section:
====================================
[GATTACA]
PATH=C:\GeeOSPub
ENVIRONMENT=C:\GeeOSPub\wwwroot\.config
SITE=C:\GeeOSPub\wwwroot\.config
====================================
The last two strings can be removed. The new configuration settings will be incorporated into the Gattaca Server within 15 seconds.
2) You can alternatively update the C:\GeeOSPub\wwwroot\.config file. Replace the following:
=====================
[HTTPFOLDER]
/=1
=====================
With:
=====================
[HTTPFOLDER]
/=0
=====================
Directory Traversal:
Workaround:
Remove the view.tmpl file.
Cross Site Scripting:
Vendor response:
The script is supposed to allow insertion of HTML/JavaScript, therefore at the moment they do not perceive it as a vulnerability, and are not planning on fixing it.
Disclosure timeline:
08/07/2003 Vulnerability discovered
08/07/2003 Vendor notified
09/07/2003 Vendor response
09/07/2003 Security Corporation clients notified
09/07/2003 Started e-mail discussions
10/07/2003 Last e-mail received
10/07/2003 Public disclosure
|
|
|
|
|
