BindView Security Advisory Falcon Web Server Technical Advisory Issue date: 10/24/99 Contact: Andrew Reiter <areiterat_private> Topic ----- Falcon Web Server suffers from a path parsing problem, which allows a remote user to escape out of the webroot directory. Also, the web server gives up information about itself when certain filenames are requested. Affected Systems ---------------- Windows 95/98/NT running BlueFace's Falcon Web Server version 1.0.0.1006. Overview -------- The Falcon Web Server (FWS) is a fully functional web server meant for running on desktop computers, handling about 50 to 80 hits per minute. The Falcon Web Server is plagued by a path parsing bug which has affected other web servers in the past, such as old IIS and Apache. This bug allows a remote user to "break out" of the webroot directory, where the web server runs, and browse directories and/or download files from areas outside of the webroot directory. The default settings of the web server allow browsing of directories and reading of files outside the webroot directory. Users can disable this "feature." If it is disabled, one can still read the files, but the complete path must be known to the attacker. FWS also has a bug in handling long file name requests, in which it will give up the location of the webroot directory. This can be used as a information gathering technique for further attacking of the machine. Impact ------ Remote users have the ability to view directory paths, download files (depending on permissions), and may use this to compromise the web server. Appendix A, Software Information -------------------------------- Falcon Web Server FWS version 1.0.0.1008 fixes the vulnerabilities and is available at: http://www.blueface.com/products.html#fws --
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:49 PDT