Guardeonic Solutions AG (www.guardeonic.com) Security Advisory #01-2002 Advisory Name: DB4Web (R) File Disclosure Release Date: 09/17/02 Affected Product: DB4Web (R) Application Server Platform: Linux, *nix, MS Windows Version: Unknown Severity: A DB4Web component allows files on the server to be downloaded Author: Stefan Bagdohn Vendor Communication: 08/29/02 Initial Notification via email to support@db4web.de, cc: Juergen.Kettlitz@siemens.com 08/30/02 Got vendor receipt via phone 09/02/02 Phone call by vendor regarding details 09/09/02 Second email to vendor asking for patch status information 09/16/02 Phone call and email from vendor, Update/Patch available Overview: (From vendors website): "DB4Web, Your Application Server for high performance and secure Web-Applications with access to various data sources" ... "DB4Web (R) is a high-performance application server that makes available a multitude of data sources on the Web. This means that you can simultaneously read from and write to relational databases and a multitude of other information sources and applications through Intranet or the Internet." (end of vendor citation) The DB4Web (R) application can be misused to view (resp. download) files located on the server by sending special http requests. Decription: A DB4Web (R) server accessed with a webbrowser usually requests local or remote databases to generate dynamic html pages. By requesting malicious URLs one can manipulate the server application to disclose files located on the server system. The browser will download them and (according to the mime-type) show them directly within the browser window. The db4web_c binary (on Unix/Linux systems) or db4web_c.exe binary (on MS Windows) is located within the cgi-bin (scripts) directory of the webserver on the DB4Web (R) system. This binary executes the database query and is accessibly by the clients webbrowser. Example: On MS Windows systems the URL to retrieve the boot.ini file would look like: http://db4web.server.system/scripts/db4web_c.exe/dbdirname/c%3A%5Cboot.ini On Linux/Unix servers the following URL will show /etc/hosts: http://db4web.server.system/cgi-bin/db4web_c/dbdirname//etc/hosts In the above examples db4web.server.system means the Name or IP address of the server, dbdirname ist the name of the local database directory and %3A%5C is the representation of :\ needed to access c:\boot.ini. One can also download files, cmd.exe for example, by requesting c%3A%5Cwinnt%5Csystem32%5Ccmd.exe. Solution: The DB4Web team provided an update of their software and notified their customers about the problem. The patches can be found at: http://www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html Credit: Thanks to the DB4Web team for good cooperation and fast response! (more to come...) EOF