COMMAND

    Sambar Web Server

SYSTEMS AFFECTED

    Sambar Web Server

PROBLEM

    'kyprizel'  found  following.   By  default,  there is a pagecount
    script with Sambar Web Server it's situated at

        http://sambarserver/session/pagecount

    counter writes it's  temporary files at  c:\sambardirectory\tmp if
    we'll write

        http://sambarserver/session/pagecount?page=index

    it will create file in  Sambar temp directory with name  index and
    if we'll write

        http://sambarserver/session/pagecount?page=../../../../../../autoexec.bat

    script will  rewrite first  simbols of  c:\autoexec.bat with  it's
    number so we able to add some text to any file on the disk...

    If Your installations uses different drives for data and  webpages
    vs. OS  and programs  we found  out that  on the  drive where  the
    SAMBAR-programs  are  located  only  an  existing AUTOEXEC.bat ist
    affected, but no new file AUTOEXEC.bat e.g. is created.

SOLUTION

    Nothing yet.