ABSTRACT Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft Foundation Classes (MFC). It runs on Windows 95, 98, NT, 2000, Me, and XP platforms. It was first published as a sample application in Microsoft Journal (MSJ). Multiple security flaws have been identified in Webster that could allow an attacker to take various actions on the server, ranging from script execution to complete compromise. DESCRIPTION There are three vulnerabilities in Webster, all related to the processing of malicious requests: I. Buffer Overrun There is a security flaw in Webster that allows an attacker to completely compromise the server. If given a URI that is 275 characters or longer, the saved return address will be overwritten. Execution of arbitrary code is possible: http://www.techie.hopto.org/exploits/webster.txt II. Directory Traversal Another seperate security flaw occurs with poor path validation. Webster will follow '/../' sequences in URL path names, allowing access to files above the document root. This vulnerability may be used for further compromise if security sensitive files are retreived (the Windows NT SAM file, for instance). http://www.techie.hopto.org/exploits/webster2.txt III. Cross-site Scripting Another small vulnerability was uncovered in Webster. If a path name containing HTML markup is used, that path will be returned to the browser as HTML content, enabling zone bypass. Example: http://websterhost.edu/<SCRIPT>alert(document.URL)</SCRIPT>/