COMMAND

    Alibaba

SYSTEMS AFFECTED

    Alibaba 2.0

PROBLEM

    Prizm found following.  Alibaba is a fully functional http  server
    for windows 95/98/  NT. It supports  cgi among many  other things.
    It is easily configurable and is quite easy to use.

    Bug #1: Long GET request causes alibaba server to crash
    =======================================================
    The problem, as usual, is with bounds checking.  By doing:

        http://www.vulnerable.host.com/[8173 bytes]

    The alibaba server will shut down.

    Bug #2: Problem in multiple scripts(overwrite and byte injection)
    =================================================================
    This  was  found  after  reading  a  previous  report  on  alibaba
    reguarding   several   cgi's,   get32.exe   included.   get16.exe,
    post16.exe  and   post32.exe  all   seem  to   include  the   same
    vulnerability  as  the  one  in  get32.exe.   Bugs  in  get32.exe,
    alibaba.pl and tst.bat were found by Kerb.

        www.vulnerable.host.com/cgi-bin/post32.exe|echo%20>c:\text.txt
        www.vulnerable.host.com/cgi-bin/post16.exe|echo%20>c:\text.txt
        www.vulnerable.host.com/cgi-bin/get16.exe|echo%20>c:\text.txt

    These  will  overwrite  file.txt,  or  any  file you specify.  The
    get16.exe, post16.exe and post32.exe programs will also allow  the
    injection of code bytes into any executable file.

    Bug #3: All cgi-bin scripts allow listing of alibaba directory
    ==============================================================
    Simply requesting |dir%20c:\[dir] after every cgi script, you  can
    see the  contents of  the directory  you specified  after |dir%20.
    CGI  Scripts  that  seem  to  be  able  to do this are: get16.exe,
    get32.exe,  post16.exe,  get32.exe,  tst.bat,  tst2.bat, lsin.exe,
    lsindex2.bat, imapcern.exe, imapncsa.exe and aliredir.exe.

SOLUTION

    I beleive Alibaba is project that  has been finished and it is  no
    longer active...