Information Risk Management Plc.

Advisory 001

Xcache Webserver Cache Path Disclosure Vulnerability
Vulnerablity Type / Importance: Information Leakage / Medium

Problem discovered: Mon, 17 Sep 2001
Vendor contacted: Wed, 19 Sep 2001
Advisory published: Fri, 21 Sep 2001

Abstract:
Xcache webserver accelerator for Windows NT and Windows 2000 reveals absolute pathnames of documents served by the webserver in the case that caching is turned off for that document.

Description:
Xcache (http://www.xcache.com) is an application that runs in front of the Microsoft IIS webserver (versions 4 and 5) and caches pages. When a request is made for a particular document, Xcache checks to see if it holds a cached copy of the document, and returns it if so, thus reducing the load on the underlying webserver.

This is most useful for dynamic content, such as .asp scripts. However, for some scripts, it is not desirable to hold a cached copy. These scripts are most commonly those which are specific to individual users, such as Shopping Baskets and the like. For this reason, Xcache provides the functionality to turn off caching for individual pages, or for entire folders (in which case all pages and subfolders in the folder will also not be cached). When caching is turned off for a document, Xcache returns the absolute pathname to that document in the HTTP headers. Sample headers are below:

[macavity@horus ~/work/research]$ telnet 192.168.0.21 80
Trying 192.168.0.21...
Connected to 192.168.0.21.
Escape character is '^]'.
GET /home/index.html HTTP/1.0

HTTP/1.1 200 OK
Content-PageName: D:Inetpubwwwroothomeindex.html
Date: Tue, 18 Sep 2001 16:08:59 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 18 Sep 2001 15:10:48 GMT
ETag: "0ccc3185440c11:925"
Content-Length: 59
Server: Microsoft-IIS/5.0 Running XCache Version (2.1.5629.1)

<HTML>
<BODY>
This is a test...
</BODY>
</HTML>
Connection closed by foreign host.

The pathname is revealed as the header 'Content-PageName' in the server response.

As previously mentioned, if a folder has caching disabled, all documents contained in that folder and its subfolders are also not cached, and have their paths given out as above.

This information can be critical to an attacker, as many webserver vulnerabilities require the attacker to know the webroot, so as to be able to provide an appropriate path to an executable such as 'cmd.exe', or other useful information held outside the root directory of the webserver.

Moreover, if the document requested is held outside the webroot, for example the /scripts or /msadc folders, then Xcache will still return the absolute path of the document. In the common case where the webserver content is held on a drive partition different to the operating system, this allows an attacker to quickly check which folders map to directories on the system partition, and hence can help access critical OS executables.

Hence, while this vulnerability itself does not compromise the machine, it reveals information that will assist an attacker greatly in using other exploits, such as the Unicode or Double-decode vulnerabilities for IIS 5.

Tested Versions:
Xcache 2.1 (current version) for Windows NT and Windows 2000 (The authors were not able to obtain any previous versions, but have found installations of Xcache 2.0 in the wild that appear to be vulnerable).

Tested Operating Systems:
Windows NT4 Server + Option Pack + SP6a
Windows 2000 Server + SP2

Vendor & Patch Information:
The vendor of this product, Xcache Technologies, was contacted. They were receptive to our report and produced a patch within 24 hours.

The patch is not available for public download, but users of Xcache can obtain it by contacting support@xcache.com.

Workarounds:
No workarounds for this vulnerability have been discovered.

Credits:
Initial vulnerability discovery: B-r00t, Jacob
Testing and Advisory: Macavity

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.