------[ ADVISORY ]------------------------------------[ 1999-01 ]------

                XITAMI WEBSERVER SHIPS WITH TESTCGI.EXE

------[ nostalgic ]-------------------[ nostalgic@nostalg1c.org ]------



_( 1 / PRODUCT INFORMATION )___________________________________________

Product name:	XITAMI WEB SERVER
Creators:	IMATIX
URL:		http://www.imatix.com/html/xitami



_( 2 / PROBLEM )_______________________________________________________

When installed out of the box, XITAMI allows all users to access a
sample CGI program called TESTCGI.EXE.
This program outputs a lot of information about the box running the
webserver, such as environment settings, various directory 
information, current user logged in etc.
This information can be usefull to crackers.


_( 3 / SAMPLE OUTPUT )_________________________________________________

----8<------- CUT -------8<----
CGI Test Program
Environment Variables
TMP                  = C:\WINDOWS\TEMP
TEMP                 = C:\WINDOWS\TEMP
PROMPT               = $p$g
WINBOOTDIR           = C:\WINDOWS
PATH                 = C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC              = C:\WINDOWS\COMMAND.COM
CTSYN                = C:\WINDOWS
CMDLINE              = WIN
WINDIR               = C:\WINDOWS
BLASTER              = A220 I5 D1 H5 P330 T6
HTTP_AUTHORIZATION   = Basic bm9zdGFsZzFjOnRjMTM3YjU=
HTTP_CONNECTION      = Keep-Alive
HTTP_HOST            = localhost
HTTP_USER_AGENT      = Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; TUCOWS)
HTTP_ACCEPT_ENCODING = gzip, deflate
HTTP_ACCEPT_LANGUAGE = nl-be
HTTP_ACCEPT          = application/msword, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_CONTENT_LENGTH  = 0
SERVER_SOFTWARE      = Xitami
SERVER_VERSION       = 2.4d4
SERVER_NAME          = localhost
SERVER_URL           = http://localhost/
SERVER_PORT          = 80
SERVER_PROTOCOL      = HTTP/1.0
GATEWAY_INTERFACE    = CGI/1.1
REQUEST_METHOD       = GET
SCRIPT_PATH          = cgi-bin
SCRIPT_NAME          = /cgi-bin/testcgi.exe
CONTENT_TYPE         = 
CONTENT_LENGTH       = 0
REMOTE_USER          = nostalg1c
REMOTE_HOST          = 127.0.0.1
REMOTE_ADDR          = 127.0.0.1
PATH_INFO            = 
PATH_TRANSLATED      = C:/XITAMI/webpages
DOCUMENT_ROOT        = C:/XITAMI/webpages
CGI_ROOT             = C:/XITAMI/cgi-bin
CGI_URL              = /cgi-bin
CGI_STDIN            = C:\WINDOWS\TEMP\pipe0012.cgi
CGI_STDOUT           = C:\WINDOWS\TEMP\pipe0012.cgo
CGI_STDERR           = cgierr.log

Miscellaneous Information
Working directory: C:/Xitami/cgi-bin 

Current date and time: 99/11/10 22:30:58 
----8<------- CUT -------8<----



_( 4 / SOLUTION )_____________________________________________________

Remove CGI-BIN/TESTCGI.EXE and as always, don't trust out of the box 
installations :)



_( 5 / VULNERABLE VERSIONS )__________________________________________

I only tested this on the Win98 version 2.4d4, probably other Windows
versions are also vulnerable.



------[ END OF ADVISORY ]----------------------------------------------