-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 

- --[ Stronghold Secure Webserver Sample Script Path Disclosure 
Vulnerability ]-- 

- --[ Type 

Path Disclosure 

- --[ Release Date 

May 21, 2002 

- --[ Product / Vendor 

Red Hat's Stronghold is the most mature Apache-based web server 
available today with over seven years of development and more than 
14,000 servers running it to protect their data. Stronghold provides 
the tools to quickly install and configure the popular Apache Web 
Server with the security features that customers and business 
partners expect when they interact with your site. 

http://www.c2.net 

- --[ Summary 

Any user can send an request Stronghold sample script 'swish' causing 
it to reveal the full path to the webroot. In some cases swish will 
display system specific information html source code. 

http://host/cgi-bin/search 

=======================SNIP======================== 
<HTML> 
<HEAD> 
<TITLE>Welcome to Stronghold!</TITLE> 
</HEAD> 

<BODY BGCOLOR="#FFFFFF" TEXT="#000000" VLINK="#FF0000" 
LINK="#0000FF"> 

<H1 ALIGN=CENTER>Search Stronghold Documentation</H1> 
<hr><form method="POST" action="/cgi-bin/search"> 
This is a searchable index of information.<br> 
<b>Note:</b> <i>This service can only be used from a forms-capable 
browser.</i><p> 
Enter keyword(s): <input type=text name="keywords" value="" size=30> 
<input type=submit value=" Search "> 
<input type=reset value=" Reset "> 
<p> 
<input type=hidden name=message value="If you can see this, then your 
browser can't support hidden fields."> 
<input type=hidden name=source value="manual.swish"> 
(!) <input type=hidden name=sourcedir 
value="/home/ts/stronghold/swish/"> (!) 
<input type=hidden name=maxhits value="40"> 
<input type=hidden name=sorttype value="score"> 
<input type=hidden name=host value=""> 
<input type=hidden name=port value=""> 
<input type=hidden name=searchprog value="swish"> 
<input type=hidden name=iconurl value="/icons"> 
<input type=hidden name=useicons value="yes"> 
</form><hr> 
=======================SNIP======================== 

- --[ Tested 

OpenBSD 3.0 / Stronghold 3.0 

- --[ Vulnerable 

Stronghold 3.0 (And may be other) 

- --[ Disclaimer 

http://www.securityoffice.net is not responsible for the misuse or 
illegal use of any of the information and/or the software listed on 
this security advisory. 

- --[ Author 

Tamer Sahin 
ts@securityoffice.net 
http://www.securityoffice.net 

Tamer Sahin 
http://www.securityoffice.net 
PGP Key ID: 0x2B5EDCB0 

-----BEGIN PGP SIGNATURE----- 
Version: PGP 7.1 

iQA/AwUBPOnUuLuLpFMrXtywEQJPmACfeRnAUYiggiVFoqDr+Wwd+A8n+OYAnjP9 
C3phQ2AsK4qFIkkas/3E71Sr 
=CyBT 
-----END PGP SIGNATURE-----