`http://www.sddt.com/files/library/98/06/25/tbc.html
Source Programmers Discover Internet Server Bug
Daily Transcript Business Report
June 25, 1998
Programmers at San Diego Source, the online news service of the San
Diego Daily Transcript, have discovered a security hole affecting Web
server software from both Netscape Communications and software and
book publisher O'Reilly & Associates.
The bug, allowing for the display of sensitive programming code being
served by Windows NT and Windows 95 versions of Netscape Enterprise
and O'Reilly & Associates' WebSite Professional, can be used by
hackers to glean information considered by programmers to be
invisible. The bug could allow for easy display of private documents
featuring database passwords, user names and even programming codes
that make events occur but are not meant for public perusal.
So far the flaw has been shown to affect only machines running under
the Windows operating system, but it is not clear if these are the
only two Web server programs affected.
Netscape Communications, which was notified about the bug via its
Developer Forum on Friday, has been working with the Daily Transcript
and is investigating the issue. On Tuesday, when it was discovered
that WebSite Professional also was vulnerable, O'Reilly & Associates
was alerted as well.
Before either company had confirmed the bug's existence, Source
programmers were able to view unprocessed server-side scripts on
dozens of Web sites, including a server at Berkeley and www.osa.com,
which belongs to O'Reilly & Associates.
Because publishing specific details about the bug would leave
countless Web sites vulnerable, the Daily Transcript has agreed not to
describe exactly how the bug works until both companies have had a
chance to issue a patch. The bug, however, is similar to a Microsoft
Internet Information Server glitch that surfaced last year and since
has been patched
"With that bug, you could tack a period to the end of a file name and
get the same results that we're seeing here," said Leland Baker, an NT
administrator and programmer at the Transcript who found the new bug.
"This was a problem because hackers could look at the contents of
unprocessed active server pages, which can contain Perl and VBScript
with sensitive information."
Microsoft scrambled to patch that glitch after CNET published details
on how to exploit it. The patch was successful, and Microsoft's IIS is
not vulnerable to the new bug. But a quick visit to a site running a
third-party program processing active server pages (ASPs) under
Netscape Enterprise revealed that, once again, the unprocessed
contents of ASPs can be viewed, so Microsoft's latest patch only
protects applications running under IIS.
Bob Denny, lead developer for O'Reilly & Associates' WebSite
Professional project, said the new bug stems from the fact that users
can pass a file name containing extra characters to the NT/95/98
operating system. Windows will accept the file name and open a file by
the same name, except with the trailing characters removed.
"We consider this a serious security problem," Denny said. "The 2.3
release of WebSite Pro is scheduled imminently (within days). We have
already implemented a fix for this problem, and the fix will be
available to our customers in the 2.3 version."
"The bug is dangerous because it doesn't take a hacker to exploit it,"
said Joseph Schmitt II, a system administrator for San Diego Source
who helped identify the new glitch. "When virtually any user can visit
your site and view the source code for an application, which sometimes
includes vital system information, there's a real security threat.
This bug may well affect the security of any file accessible via a URL
address, compiled or otherwise."
Jim Obsitnik, Netscape's Enterprise Server product manager, said
engineers at Netscape also were able to confirm the bug's existence,
and he indicated a patch would be issued early next week.
"We've taken a look at it. The bug is a new one, and we're looking for
the best way to get it out." Obsitnik said.
The fix will also be included with the next point release of
Enterprise, due to ship in September.
Obsitnik indicated that the bug could leave any server-side script
vulnerable, including some compiled and uncompiled executable files.
Server-side scripts are a sort of hybrid programming language,
combining standard HTML tags with tags developed by third-party
vendors to allow for dynamic content in Web pages. These scripts,
processed by a program residing on the server rather than by the
client's browser, commonly are used to integrate the contents of large
databases with Web pages. The end user sees only the information
requested, usually based on their input into a search page.
Allaire Cold Fusion, a popular and powerful database integration tool,
is one such program.
"The bug not only exposes the inner workings of a developer's own
applications," said Ben Forta, long-time Cold Fusion developer and
Allaire's product spokesman. "It could also expose highly confidential
data like network and database login names and passwords."
If hackers can view this information, it may be possible for them to
alter or even delete data.
While helping Netscape pinpoint which sites were affected, Baker and
Schmitt discovered that servers running Web Site Professional, a
popular Web server package from O'Reilly & Associates, also were
vulnerable.
"I viewed the source of one of their Cold Fusion scripts and then
e-mailed it to them," Baker said. "The guy I initially talked to there
was very concerned."
The bug is especially important to developers because entire
applications -- even entire sites -- are built using Cold Fusion
markup language (CFML) and ASP.
Cold Fusion ships with a program to encrypt CFML pages, but the
utility introduces a sometimes difficult layer to the administration
process.
"A lot of times, developers will encrypt a Cold Fusion application if
they sell it so that the source code can't be reused or modified,"
Baker said. "But encrypting an entire site can be difficult to manage.
Any bug fixes or modifications would have to be made to an unencrypted
file, moved and re-encrypted. When you're dealing with a large number
of files, this can seem like a tedious process until you get used to
it."
San Diego Source, at www.sddt.com, features numerous databases using
CFML to provide information on commercial leases, home purchases, the
San Diego Stock Exchange and more. Since discovering the bug, however,
San Diego Source has taken these extra steps to encrypt every CFML
script on the site to protect the integrity of the databases.
_________________________________________________________________
`