Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities

From: <chewkeong () security org sg>
Date: 1 Mar 2005 11:26:38 -0000


SIG^2 Vulnerability Research Advisory

RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities

by Tan Chew Keong
Release Date: 01 Mar 2005


ADVISORY URL
http://www.security.org.sg/vuln/raidenhttpd1132.html


SUMMARY

RaidenHTTPD Server (http://www.raidenhttpd.com/en/index.html) is a full featured web server software for Windows 98 / 
Me / 2000 / XP / 2003 platforms. It is easy to use and install, and is designed for anyone who wants to have a website 
running within minutes. A CGI source code disclosure vulnerability was found in RaidenHTTPD that may be exploited to 
obtain the source code of any PHP scripts on the server. A buffer overflow vulnerability was also found that may be 
remotely exploited to cause DoS and allows arbitrary code execution.

 
TESTED SYSTEM

RaidenHTTPD Server Version 1.1.32 (Shareware) on English Win2K SP4.

 
DETAILS

This advisory documents two vulnerabilities found in RaidenHTTPD server. The first vulnerability may be remotely 
exploited to obtain the source code of any PHP scripts on the server. The second is a buffer overflow vulnerability 
that may be remotely exploited to cause DoS or to execute arbitrary code on the server.


1. CGI source code disclosure vulnerabliity.

RaidenHTTPD supports the use of CGI scripts using PHP or PERL. The default installation comes with PHP installed. Using 
a specially crafted URL, it is possible to obtain the source code of any PHP scripts on the server. 


2. Buffer overflow when processing HTTP requests with long URI.

A buffer overflow condition occurs when RaidenHTTPD receives an URI with more than 524 characters in the URI. 
Successful exploitation allows code execution with LOCAL SYSTEM privilege.



PATCH

Vendor has released version 1.1.34 that fixes these vulnerabilities.

 
DISCLOSURE TIMELINE

20 Feb 05 - Vulnerability Discovered.
22 Feb 05 - Initial Vendor Notification.
22 Feb 05 - Initial Vendor Reply.
22 Feb 05 - Received notification from vendor that fixed version 1.1.34 is released.
01 Mar 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."
Previous By Date Next
Previous By Thread Next

Current thread: