Guardeonic Solutions AG (www.guardeonic.com)

Security Advisory #01-2002

Advisory Name:		DB4Web (R) File Disclosure
Release Date:		09/17/02
Affected Product:	DB4Web (R) Application Server
Platform:		Linux, *nix, MS Windows
Version:		Unknown

Severity:		A DB4Web component allows files on the server to be
			downloaded

Author:			Stefan Bagdohn <stefan.bagdohn@guardeonic.com>
			<buggy@segmentationfault.de>

Vendor Communication:	08/29/02 Initial Notification via email to 
				support@db4web.de, 
				cc: Juergen.Kettlitz@siemens.com
			08/30/02 Got vendor receipt via phone
			09/02/02 Phone call by vendor regarding details
			09/09/02 Second email to vendor asking for patch
				status information
			09/16/02 Phone call and email from vendor,
				Update/Patch available

Overview:

(From vendors website): "DB4Web, Your Application Server for high performance
and secure Web-Applications with access to various data sources"
...
"DB4Web (R) is a high-performance application server that makes available a
multitude of data sources on the Web. This means that you can simultaneously
read from and write to relational databases and a multitude of other
information sources and applications through Intranet or the Internet."
(end of vendor citation)

The DB4Web (R) application can be misused to view (resp. download) files
located on the server by sending special http requests.

Decription:

A DB4Web (R) server accessed with a webbrowser usually requests local or remote
databases to generate dynamic html pages. By requesting malicious URLs one can
manipulate the server application to disclose files located on the server
system. The browser will download them and (according to the mime-type) show
them directly within the browser window.
The db4web_c binary (on Unix/Linux systems) or db4web_c.exe binary (on 
MS Windows) is located within the cgi-bin (scripts) directory of the
webserver on the DB4Web (R) system. This binary executes the database query
and is accessibly by the clients webbrowser.

Example:

On MS Windows systems the URL to retrieve the boot.ini file would
look like:
http://db4web.server.system/scripts/db4web_c.exe/dbdirname/c%3A%5Cboot.ini

On Linux/Unix servers the following URL will show /etc/hosts:
http://db4web.server.system/cgi-bin/db4web_c/dbdirname//etc/hosts

In the above examples db4web.server.system means the Name or IP address of
the server, dbdirname ist the name of the local database directory and 
%3A%5C is the representation of :\ needed to access c:\boot.ini.

One can also download files, cmd.exe for example, by requesting
c%3A%5Cwinnt%5Csystem32%5Ccmd.exe.

Solution:

The DB4Web team provided an update of their software and notified their
customers about the problem. The patches can be found at:
http://www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html

Credit:

Thanks to the DB4Web team for good cooperation and fast response!

(more to come...)
EOF