Users can view script source from Win WebServers

[aleph1 () DFW NET (Aleph One)]

http://www.sddt.com/files/library/98/06/25/tbc.html

              Source Programmers Discover Internet Server Bug

                      Daily Transcript Business Report

                               June 25, 1998

    Programmers at San Diego Source, the online news service of the San
   Diego Daily Transcript, have discovered a security hole affecting Web
     server software from both Netscape Communications and software and
                   book publisher O'Reilly & Associates.

   The bug, allowing for the display of sensitive programming code being
    served by Windows NT and Windows 95 versions of Netscape Enterprise
      and O'Reilly & Associates' WebSite Professional, can be used by
        hackers to glean information considered by programmers to be
    invisible. The bug could allow for easy display of private documents
    featuring database passwords, user names and even programming codes
        that make events occur but are not meant for public perusal.

    So far the flaw has been shown to affect only machines running under
     the Windows operating system, but it is not clear if these are the
                   only two Web server programs affected.

     Netscape Communications, which was notified about the bug via its
   Developer Forum on Friday, has been working with the Daily Transcript
     and is investigating the issue. On Tuesday, when it was discovered
    that WebSite Professional also was vulnerable, O'Reilly & Associates
                            was alerted as well.

      Before either company had confirmed the bug's existence, Source
      programmers were able to view unprocessed server-side scripts on
    dozens of Web sites, including a server at Berkeley and www.osa.com,
                  which belongs to O'Reilly & Associates.

       Because publishing specific details about the bug would leave
   countless Web sites vulnerable, the Daily Transcript has agreed not to
     describe exactly how the bug works until both companies have had a
    chance to issue a patch. The bug, however, is similar to a Microsoft
    Internet Information Server glitch that surfaced last year and since
                              has been patched

   "With that bug, you could tack a period to the end of a file name and
   get the same results that we're seeing here," said Leland Baker, an NT
   administrator and programmer at the Transcript who found the new bug.
     "This was a problem because hackers could look at the contents of
    unprocessed active server pages, which can contain Perl and VBScript
                        with sensitive information."

   Microsoft scrambled to patch that glitch after CNET published details
   on how to exploit it. The patch was successful, and Microsoft's IIS is
    not vulnerable to the new bug. But a quick visit to a site running a
      third-party program processing active server pages (ASPs) under
       Netscape Enterprise revealed that, once again, the unprocessed
      contents of ASPs can be viewed, so Microsoft's latest patch only
                  protects applications running under IIS.

        Bob Denny, lead developer for O'Reilly & Associates' WebSite
   Professional project, said the new bug stems from the fact that users
      can pass a file name containing extra characters to the NT/95/98
   operating system. Windows will accept the file name and open a file by
        the same name, except with the trailing characters removed.

    "We consider this a serious security problem," Denny said. "The 2.3
   release of WebSite Pro is scheduled imminently (within days). We have
      already implemented a fix for this problem, and the fix will be
              available to our customers in the 2.3 version."

   "The bug is dangerous because it doesn't take a hacker to exploit it,"
    said Joseph Schmitt II, a system administrator for San Diego Source
   who helped identify the new glitch. "When virtually any user can visit
   your site and view the source code for an application, which sometimes
     includes vital system information, there's a real security threat.
   This bug may well affect the security of any file accessible via a URL
                      address, compiled or otherwise."

      Jim Obsitnik, Netscape's Enterprise Server product manager, said
    engineers at Netscape also were able to confirm the bug's existence,
         and he indicated a patch would be issued early next week.

   "We've taken a look at it. The bug is a new one, and we're looking for
                the best way to get it out." Obsitnik said.

        The fix will also be included with the next point release of
                   Enterprise, due to ship in September.

     Obsitnik indicated that the bug could leave any server-side script
    vulnerable, including some compiled and uncompiled executable files.

       Server-side scripts are a sort of hybrid programming language,
      combining standard HTML tags with tags developed by third-party
     vendors to allow for dynamic content in Web pages. These scripts,
      processed by a program residing on the server rather than by the
   client's browser, commonly are used to integrate the contents of large
      databases with Web pages. The end user sees only the information
        requested, usually based on their input into a search page.

   Allaire Cold Fusion, a popular and powerful database integration tool,
                            is one such program.

     "The bug not only exposes the inner workings of a developer's own
     applications," said Ben Forta, long-time Cold Fusion developer and
   Allaire's product spokesman. "It could also expose highly confidential
         data like network and database login names and passwords."

    If hackers can view this information, it may be possible for them to
                         alter or even delete data.

    While helping Netscape pinpoint which sites were affected, Baker and
      Schmitt discovered that servers running Web Site Professional, a
      popular Web server package from O'Reilly & Associates, also were
                                vulnerable.

     "I viewed the source of one of their Cold Fusion scripts and then
   e-mailed it to them," Baker said. "The guy I initially talked to there
                            was very concerned."

        The bug is especially important to developers because entire
      applications -- even entire sites -- are built using Cold Fusion
                      markup language (CFML) and ASP.

      Cold Fusion ships with a program to encrypt CFML pages, but the
    utility introduces a sometimes difficult layer to the administration
                                  process.

   "A lot of times, developers will encrypt a Cold Fusion application if
     they sell it so that the source code can't be reused or modified,"
   Baker said. "But encrypting an entire site can be difficult to manage.
   Any bug fixes or modifications would have to be made to an unencrypted
   file, moved and re-encrypted. When you're dealing with a large number
    of files, this can seem like a tedious process until you get used to
                                    it."

    San Diego Source, at www.sddt.com, features numerous databases using
   CFML to provide information on commercial leases, home purchases, the
   San Diego Stock Exchange and more. Since discovering the bug, however,
     San Diego Source has taken these extra steps to encrypt every CFML
       script on the site to protect the integrity of the databases.
     _________________________________________________________________