NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities

Title: NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2011-5021
Type: Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 23.06.2011
Summary
NetServe is a super compact Web Server and File Sharing application for Windows NT, 95, 98, 2000, and XP. It's HTTP Web Server can serve all types of files including html, gif and jpeg, actually any files placed in your NetServe directory can be served. New key features include Server-Side-Include (SSI) support and CGI/1.1 support giving you the choice of your prefered scripting language,including but not limited to; Perl, ASP and PHP, to create your dynamic content.
Description
NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):

- Action
- EnablePasswords
- _Checks
- _ValidationError
- ListIndex
- SiteList_0
- SSIErrorMessage
- SSIExtensions
- SSITimeFormat
- SSIabbrevSize
- EnableSSI
- LogCGIErrors
- LoggingInterval
- ExtendedLogging
- CGITimeOut

The tests were made using PowerFuzzer and OWASP ZAP. No need for PoC strings. Attackers can exploit any of the issues using a web browser.
Vendor
Net-X Solutions Ltd - http://www.netxsolutions.co.uk
Affected Version
1.0.58
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
netserve_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://zeroscience.mk/blog/06/2011/netserve-web-server-v1-0-58-multiple-remote-vulnerabilities/
[2] http://www.securityfocus.com/bid/48406
[3] http://packetstormsecurity.org/files/102540
[4] http://securityreason.com/wlb_show/WLB-2011060077
[5] http://xforce.iss.net/xforce/xfdb/68177
[6] http://xforce.iss.net/xforce/xfdb/68178
[7] http://xforce.iss.net/xforce/xfdb/68179
[8] http://xforce.iss.net/xforce/xfdb/68180
[9] http://xforce.iss.net/xforce/xfdb/68181
[10] http://secunia.com/advisories/45061/
[11] http://osvdb.org/show/osvdb/73479
[12] http://osvdb.org/show/osvdb/73480
[13] http://osvdb.org/show/osvdb/73481
[14] http://osvdb.org/show/osvdb/73482
[15] http://osvdb.org/show/osvdb/73483
Changelog
[23.06.2011] - Initial release
[24.06.2011] - Added reference [3], [4], [5], [6], [7], [8] and [9]
[29.06.2011] - Added reference [10]
[30.06.2011] - Added reference [11], [12], [13], [14] and [15]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk