COMMAND

    Webtrends HTTP Server

SYSTEMS AFFECTED

    Webtrends HTTP Server V3.1c, 3.5 (Webtrends Reporting Server)

PROBLEM

    Auriemma Luigi  found following.   The bug  is really  simple.  If
    the attacker insert an unicode space (%20) after the script  file,
    the server think that the file  requested is not a cgi script  and
    for this it shown the source; this is an example:

        http://host/remote_login.pl%20

    And the result is the source of "remote_login.pl".

    Note that there is a flame war if a url-encoded character IS or is
    NOT a unicode code character..   A better way of saying it is that
    URL encoding  is not  the same  as UTF8  encoding of  unicode code
    points.  That should not have any impact on this bug :-)

    This also appears to be a bug in the web server shipped with  3.5.
    While this worked as expected for the NT version, one is not  able
    to duplicate the  problem with the  Solaris or Linux  versions (by
    Michael Grice).

SOLUTION

    Nothing yet.