Tried, Tested and Proven

Security Advisory 06 – 011 – Source Code Disclosure Vulnerability

Vulnerable System:

Fujitsu/HTTPD ver1.0

Vulnerability discovery and development:

Portcullis Security Testing Services.

Credit for Discovery:

Paul Docherty – Portcullis Computer Security Ltd.

Affected Systems:

Fujitsu HTTPD Server Version 1.0

Details:

The Fujitsu web server is part of a system managment suite of products which is designed to allow network based management of the host the server resides on. By sending a specially crafted http request to the server it is possible to retrieve the source code of CGI scripts on the vulnerable server.

The request that triggers this issue consists of sending a sequence of “change directory” characters that are not terminated with the final slash (/) an example of this being; by default the system loads the CGI script, top.cgi which in turn goes off and loads other java based code, in order to view the source code of the top.cgi script make a request for /../.. Additionally only HTTP/1.1 requests with a qualified Host: header trigger the issue.

Impact:

An attacker can request and view the source code of CGI scripts on the vulnerable server.

Exploit:

Portcullis have developed a utility to identify this vulnerability. See Portcullis Advisory 06-010 for details.

Vendor Status

Notified via email 2 November 2005

Notified (2) via email 17 February 2006

Notified (3) via email 17 April 2006

Notified (4) via email 30 June 2006

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.