Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Web Servers information disclosure and Denial of Service Attacks

Attack ID: CPAI-2003-03
Publish Date:
Last Update:
Category: Web Servers information disclosure and Denial of Service Attacks
Vulnerable Systems: Web Servers with WebDAV enabled (IIS 5.x and Apache
Source:

CVE-2000-0869
CVE-2000-0951
CVE-2001-0151
CVE-2001-0238
CVE-2001-0508
CAN-2002-0422
CAN-2002-1156
CAN-2002-1182

Description: WebDAV, "Web-based Distributed Authoring and Versioning" is a set of extensions to the HTTP protocol which allows users to collaboratively edit and manage files on remote web servers. Several security vulnerabilities, including data disclosure and denial of service attacks are related to the way that cretin web servers are phrasing WebDAV requests.
Severity:
  Consequences of various WebDAV vulnerabilities vary. For the buffer overflow described below, attackers can potentially gain full control of the affected machine.
Details:

There are different types of attacks against WebDAV enabled web servers, as listed at the source column. These attacks are well documented and the exploit code can be found in different web sites. A malicious attacker can take advantage of the following exploits:

WebDAV can allow remote attackers to list arbitrary directories via the PROPFIND HTTP request method.

  • A vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request.
  • WebDAV contains a flaw in the handling of unusually long requests, submitting a valid yet unusually long WebDAV 'search' request.
  • By making a specific, properly structured request to the Apache web server, it is possible to obtain information which is equivalent to a directory listing.
  • A denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests.
  • IIS 5 and 5.1 supporting WebDAV methods allows remote attackers to determine the internal IP address of the system.
  • Apache 2.0.42 allows remote attackers to view the source code of a CGI script via a POST request to a directory with both WebDAV and CGI enabled.
  • If a WebDAV request were malformed in a particular way, IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail.
  • Microsoft Data Access Component Internet Publishing Provider 8.103.2519.0 and earlier allows remote attackers to bypass Security Zone restrictions via WebDAV requests.
Attack Detection: Using the SmartView Tracker one can identify blocked HTTP connections with a
Malformed Request error message displayed in the information field.
Solution:

Those attacks and similar, can be blocked by FireWall-1, since FireWall-1 HTTP Security Server restricts WebDAV methods usage by default.

One can verify this behavior by checking that the flag enable_propfind_method is set to false. (When enable_propfind_method is set to true, which is not the default setting, FireWall-1 HTTP Security Server will enable WebDAV HTTP methods. Administrators should note that the flag (once set to true) will allow all WebDAV HTTP methods.

Some of the applications that are using WebDAV are: Outlook Web Access, Web Folders, Outlook Express connection to Hotmail and FrontPage.

Industry Reference:
Additional Information:

Microsoft Security Bulletin
SecureKnowledge :How to edit the objects file