ISS X-Force Database: zeus-server-null-string(3982): Zeus Web server null string could reveal CGI script content

Zeus Web server null string could reveal CGI script content

zeus-server-null-string (3982)

Low Risk

Description:

Zeus Web server could reveal CGI script content. If the CGI module option "allow CGIs anywhere" is enabled, a remote attacker could append "%00" to the end of a CGI script file name and view the full contents of the script. This does not affect CGI scripts located in directories designated as executable (such as \cgi-bin).

Platforms Affected:

Zeus, Zeus Web Server 3.1.x
Zeus, Zeus Web Server 3.3.x

Remedy:

Upgrade the Zeus Web server to 3.3.5a or higher, available from the Zeus Technology FTP site. See References.

To install the latest version of the Zeus Web server:

Download the appropriate distribution for your platform.
Untar the file.
Run './zinstall --force'. This will upgrade the running server to the new release.

Consequences:

Obtain Information

References:

BugTraq Mailing List, Tue Feb 08 2000 - 06:49:04 CST, Zeus Web Server: Null Terminated Strings at http://archives.neohapsis.com/archives/bugtraq/2000-02/0057.html.
BugTraq Mailing List, Tue Feb 08 2000 - 12:56:03 CST, [SAFER 000209.EXP.1.2] Zeus Web Server - obtaining source of CGI scripts at http://archives.neohapsis.com/archives/bugtraq/2000-02/0072.html.
S.A.F.E.R. Security Bulletin 000209.EXP.1.2, Zeus Web Server - obtaining source of CGI scripts at http://www.safermag.com/advisories/0005.html.
Zeus Technology, Inc. Web site, Zeus Technology FTP site at ftp://ftp.zeustechnology.com/pub/products/z3/.
BID-977: Zeus Web Server Null Terminated Strings Vulnerability
CVE-2000-0149: Zeus web server allows remote attackers to view the source code for CGI programs via a null character (%00) at the end of a URL.
OSVDB ID: 254: Zeus Technologies Zeus Web Server CGI Source Disclosure

Reported:

Feb 08, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page