Security Advisory 06 – 011 – Source Code Disclosure Vulnerability
Vulnerability discovery and development:
Portcullis Security Testing Services.
Credit for Discovery:
Paul Docherty – Portcullis Computer Security Ltd.
Fujitsu HTTPD Server Version 1.0
The Fujitsu web server is part of a system managment suite of products which is designed to allow network based management of the host the server resides on. By sending a specially crafted http request to the server it is possible to retrieve the source code of CGI scripts on the vulnerable server.
The request that triggers this issue consists of sending a sequence of “change directory” characters that are not terminated with the final slash (/) an example of this being; by default the system loads the CGI script, top.cgi which in turn goes off and loads other java based code, in order to view the source code of the top.cgi script make a request for /../.. Additionally only HTTP/1.1 requests with a qualified Host: header trigger the issue.
An attacker can request and view the source code of CGI scripts on the vulnerable server.
Portcullis have developed a utility to identify this vulnerability. See Portcullis Advisory 06-010 for details.
Notified via email 2 November 2005
Notified (2) via email 17 February 2006
Notified (3) via email 17 April 2006
Notified (4) via email 30 June 2006