Some vulnerabilities have been discovered in Xerver, which can be exploited by malicious people to bypass certain security restrictions or conduct cross-site scripting and HTTP response splitting attacks.

1) An error exists in the HTTP server when handling HTTP requests. This can be exploited to disclose the content of files having a restricted extension by appending "::$DATA" to the requested file name.

2) Input passed via the "currentPath" parameter (when "action" is set to "chooseDirectory") to the administrative interface running on port 32123 is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input appended after the URL is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user.

4) An error in the HTTP basic authentication feature can be exploited to bypass authentication for protected directories by e.g. prepending multiple "/" or a "\" to the path in a request.

5) An error in the processing of HTTP requests can be exploited to e.g. disclose the source code of script files or bypass the restricted extensions functionality via a specially crafted request containing NULL bytes in the file path.

6) An error in the processing of HTTP requests can be exploited to show a directory list of a folder above the root directory via a directory traversal sequence containing a NULL byte.

The vulnerabilities are confirmed in version 4.32 for Windows. Other versions may also be affected.

Solution
Do not rely on the security provided by the restricted extensions functionality or HTTP basic authentication. Filter malicious characters and character sequences using a web proxy.

Provided and/or discovered by
1) Dr_IDE
2) Stack
3) sasquatch
4, 5, 6) Ben Schmidt aka supernothing

Changelog
Further details available in Customer Area

Original Advisory
1) http://milw0rm.com/exploits/9649
2) http://milw0rm.com/exploits/9718
3) http://packetstormsecurity.org/0911-exploits/xerver-split.txt
4, 5, 6) http://spareclockcycles.org/2010/08/01/multiple-vulnerabilities-in-xerver-4-32/

Deep Links
Links available in Customer Area