COMMAND

    OmniHTTPd

SYSTEMS AFFECTED

    OmniHTTPd

PROBLEM

    Following is based on a  403 Security Lab Advisory 403-05-2001  by
    Astral.  In  addition to Standard  CGI support, the  server sports
    advanced   features   such   as   Keep-Alive   connections,  table
    auto-indexing and server-side includes.  For maximum  performance,
    OmniHTTPd is both 32-bit and multi-threaded.

    PHP is an open source, server-side, cross-platform, HTML  embedded
    scripting language.   PHP is  a good  alternative to  ASP  because
    native support is  not limited to  servers running IIS  on Windows
    NT.  The PHP libraries provide good support for tasks like SQL and
    LDAP operations.

    OmniHTTPd  supports  PHP  scripts  but  it has two vulnerabilites.
    Both are connected with way OmniHTTPd processes them.

    If  malicious  user  sends  lot  requests  to  some  existing   or
    non-existing PHP script on web-server it will consume 100% percent
    of processor speed.  Why this happens?

    Every  time  you  send  request  for  PHP script, OmniHTTPd server
    starts PHP.exe and then tries to run script rather then making  it
    memory-resident.  Severity: d.o.s.

    We have  also scripts  source disclosure.   This one  is much more
    dangerous.   It allows  anyone to  view source  of scripts.   This
    vulnerability is similar to ones Microsoft had problems with.

    It is possible to make OmniHTTPd think .php;.shtml;.pl is ordinary
    HTML document.  How ?

    By  adding  space  UNICODE  character  which is %20 OmniHTTPd will
    identify any script  as HTML file  and it will  send script source
    back to client.  Exploit:

        GET /somefuckingboringphpscript.php%20% 20 HTTP/1.1

    Severity: Disclosure of script source

SOLUTION

    Vendor didn't response so far.