WebSite 1.1 for Windows NT winsample buffer overflow

http-website-winsample (295) The risk level is classified as HighHigh Risk

Description:

The win-c-sample.exe program, installed by default in the cgi-shl directory of O'Reilly WebSite with the privileges of the user owning the server process.

Platforms Affected:

  • Apple, Mac OS
  • Cisco, IOS
  • Compaq, Tru64
  • Data General, DG/UX
  • HP, HP-UX
  • IBM, AIX
  • IBM, OS2
  • Linux, Kernel
  • Microsoft, Windows 2000
  • Microsoft, Windows 2003 Server
  • Microsoft, Windows 95
  • Microsoft, Windows 98
  • Microsoft, Windows 98SE
  • Microsoft, Windows Me
  • Microsoft, Windows NT 4.0
  • Microsoft, Windows XP
  • Novell, NetWare
  • O'Reilly Software, O'Reilly Website 2.0 and prior
  • SCO, SCO Unix
  • SGI, IRIX
  • Sun, Solaris
  • Various vendors, Common Gateway Interface (CGI)
  • WindRiver, BSDOS

Remedy:

Remove the Win-C-Sample.exe script from the cgi-shl or cgi-bin directory. There is no legitimate use for this script, and it has been removed from O'Reilly WebSite 2.0.

Consequences:

Gain Access

References:

  • O'Reilly Software Web site, O'Reilly Software: WebSite at http://website.oreilly.com/.
  • BID-2078: OReilly WebSite 1.x/2.0 win-c-sample.exe Buffer Overflow Vulnerability
  • CVE-1999-0178: Buffer overflow in the win-c-sample program (win-c-sample.exe) in the WebSite web server 1.1e allows remote attackers to execute arbitrary code via a long query string.
  • OSVDB ID: 8: O'Reilly WebSite win-c-sample Remote Overflow

Reported:

Jan 06, 1997

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page