A bug report on fulldisclosure.org incorrectly indicated that all versions of the Sambar Server are vulnerable to a buffer-overflow attack on /session/login. This is not incorrect; the 5.3 production server is not vulnerable to this attack. Prior versions of the server may be at risk, but the author of the original report has not been responsive to queries as to his claims.

All Sambar Server release prior to 5.3 contain several cross-site scripting vulnerability reported by Gregory Le Bras at security-corp.org. This vulnerability has been confirmed and is considered minor at this time. The vulnerabilities have been fixed in the 6.0 beta 1 release and can be address in the 5.3 production release by using the RC@striphtml or RC@txt2html scalar around the variables documented in the bug report.

The CGI scripts documented in the bug report should be removed before putting the server in production. They have been removed or secured in the 6.0 beta 1 release. Finally, the cross-site scripting vulnerabilities of the forms in the /sysuser section should be secured by requiring a valid user login to utilize those pages (again, this has been done in the 6.0 beta 1 release).

A bug was introduced in the 5.3 beta 2 release relating to the "Relay IPs" feature found in the mail.ini configuration file. If you are a user of this feature, please return to the 5.2 production or upgrade to the 5.3 beta 3 preview 1 release or later.

There is a bug in the mail server prior to 5.0 production that results in the SMTP server acting as an open relay if the Restrict Relay IPs configuration parameter is set. With either the Restrict Relay = true or Require AUTH = true parameters, the Restrict Relay IPs is likely unnecessary.

All releases prior to the 5.2 production release are vulnerable to a DOS attack against DOS devices. While many DOS devices were properly secured, several were not. In addition, the 5.2 production release includes the OpenSSL 0.9.6g release that fixes a buffer-overflow bug in the SSL library.

All releases prior to the 5.2 beta 1 release are vulnerable to having the source code associated with CGI scripts and JSP files exposed via an URL sequence.

All releases prior to the 5.1 production release are subject to a DOS attack resulting from a manipulation of the login URL. In addition, an attach on a specific HTTP header can crash the server. Finally, the cgi-win samples shipped with all releases prior to the 5.1 production release were vulnerabile to a security attach. These bugs were reported by Mark Litchfield of NGS Software (many thanks!).

The 5.1 Beta 2, 3 and 4 releases are subject to a crash due to a bug in the server-side include processing of the "echo" DOCUMENT_ROOT command. This has been fixed in the latest preview release (3/17/2002) and the 5.1 beta 5 release.

All versions of the Sambar WWW Server prior to the 5.1 Beta 4 release are vulnerable to a reported DoS attack against the /cgi-win/cgitest.exe sample application. (Reported by Tamer Sahin at www.securityoffice.net). This sample application should be removed from your cgi-win directory (it will be removed from subsequent releases of the server and the CGI-WIN security vulnerability closed.)

All versions of the Sambar WWW Server prior to the 5.0 production release are vulnerable to a bug in the /isapi/testisa.dll sample pplication that allows users to display the contents of files outside the Documents Directory. This sample DLL should be removed from production servers.

All versions of the Sambar WWW Server prior to the 5.0 production release are vulnerable to a SSI bug that allows users to use the "#include file" functionality to display the contents of files outside the Documents Directory. This exploit can only be used by users that have access to upload .shtml files to the server.

All versions of the Sambar WWW Server with the exception of 5.0 beta 5 and later releases have a security vulnerability associated with the pagecount sample code. Please immediately comment out the following line in your config.ini and restart your server (or upgrade to 5.0 beta 5):

INIT = samples.dll:general_init

This will disable the pagecount RPC/scalar. A patch for this bug will be released during the week of 6/20.

The 4.2 and 4.3 production releases contain a vulnerability in the netutils sample code shipped with the server. A buffer-overrun exploit can be used against the "finger" RPC. A fix for this bug is being prepared and should be available the week of 6/12/2000. In the meantime, you should modify your config.ini and comment out the line: INIT = samples.dll:netutils_init. This will disable the network utility samples and remove this exploit.

In addition, a security hole has been found in the 4.3 production release that can allow .htm and .html files in a directory secured by .htaccess constraints to be accessed via browser. To exploit this hole, a user must know the file name in the secured directory. This hole can be secured by using the security.ini file to secure the directory and/or by renaming any .htm or .html files in the .htaccess secured directory to .stm. The 4.4 beta 1 release includes a fix for this vulnerability. Many thanks to Melvyn Sopacua and James Wright for bringing this bug to my attention.

Datum 25-04-2003