Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The severity level in this instance is indicated by the colored dot beside the link to this tutorial on the previous page.
4/7/03
Several of the default CGI scripts which are installed with
Sambar 5.3 and earlier contain vulnerabilities. The
environ.pl and testcgi.exe
programs can disclose physical path names and other
information to potential attackers. The iecreate.stm
and ieedit.stm programs could disclose
the contents of directories. Furthermore, all of the above scripts
and many others could allow cross-site scripting, which
could allow a malicious web site to induce visitors into
executing unexpected commands on the visitor's own computer.
4/8/02
There are several buffer overflow vulnerabilities
affecting Sambar 5.0 and possibly earlier versions.
4/30/02
CVE 2002-0737
Like most web servers, Sambar supports CGI scripts, which
are executed by the server when their file names are requested, with
HTML output being sent back to the web browser.
However, if a space and a null character are appended to the request,
Sambar returns the source code of the script instead of executing
it. The source code could reveal sensitive information such
as passwords which could be helpful to an attacker in planning
an attack. This vulnerability could also allow attackers to
request DOS devices, which could consume system resources and
lead to a denial of service.