AN HTTPD Arbitrary Log Content Injection Vulnerability
BID:13069
Info
AN HTTPD Arbitrary Log Content Injection Vulnerability
| Bugtraq ID: | 13069 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-1087 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 08 2005 12:00AM |
| Updated: | Jul 12 2009 12:56PM |
| Credit: | Discovery is credited to Tan Chew Keong. |
| Vulnerable: |
AN AN-HTTPd 1.42 n |
| Not Vulnerable: | |
Discussion
AN HTTPD Arbitrary Log Content Injection Vulnerability
AN HTTPD is affected by a vulnerability that may allow remote attacker to inject arbitrary content in to the log file. This issue arises due to a failure of input validation.
Corruption of logs may result in concealing attacks and/or misleading an administrator.
This issue can also be exploited to carry out other attacks such as the execution of certain BAT file commands. This can result in the disclosure of source code and text files.
This issue may also aid in the exploitation of the vulnerability described in BID 13066 (AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability).
AN HTTPD 1.42n is reported vulnerable, however, it is possible that other versions are affected as well.
AN HTTPD is affected by a vulnerability that may allow remote attacker to inject arbitrary content in to the log file. This issue arises due to a failure of input validation.
Corruption of logs may result in concealing attacks and/or misleading an administrator.
This issue can also be exploited to carry out other attacks such as the execution of certain BAT file commands. This can result in the disclosure of source code and text files.
This issue may also aid in the exploitation of the vulnerability described in BID 13066 (AN HTTPD CMDIS.DLL Remote Buffer Overflow Vulnerability).
AN HTTPD 1.42n is reported vulnerable, however, it is possible that other versions are affected as well.
Exploit / POC
AN HTTPD Arbitrary Log Content Injection Vulnerability
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/a%20HTTP/1.0"%20200%202048%0d%0a255.255.255.255%20-%20-%20[06/Mar/2005%3a22%3a31%3a11%20+0800]%20"GET%20/hack
http://www.example.com/%0d%0atype%20cgi-bin%5Ctest.bat
To parse a command through 'cmdIS.DLL':
http://www.example.com/scripts/cmdIS.dll/httpd.log
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/a%20HTTP/1.0"%20200%202048%0d%0a255.255.255.255%20-%20-%20[06/Mar/2005%3a22%3a31%3a11%20+0800]%20"GET%20/hack
http://www.example.com/%0d%0atype%20cgi-bin%5Ctest.bat
To parse a command through 'cmdIS.DLL':
http://www.example.com/scripts/cmdIS.dll/httpd.log
Solution / Fix
AN HTTPD Arbitrary Log Content Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
AN HTTPD Arbitrary Log Content Injection Vulnerability
References:
References: