[ Advisory for Viking ] [ Viking is made by Robtex. ] [ Site: http://www.robtex.com/viking ] [ by nemesystm of the DHC ] [ (http://dhcorp.cjb.net - neme-dhcat_private) ] [ ADV-0107 ] /-|=[explanation]=|-\ Viking is a webserver. It has a simple hex encoded dot dot bug. /-|=[who is vulnerable]=|-\ Tested to be vulnerable: Viking 1.04 Viking 1.06 Viking 1.07 I assume earlier versions to be vulnerable as well. /-|=[testing it]=|-\ To test this vulnerability, try the following. www.server.com/%2e%2e/%2e%2e/scandisk.log this works if Viking has been installed in the proposed directory and scandisk.log exists. Add %2e%2e/ to adjust the amount of directories to go down, change scandisk.log to reflect the file you want. /-|=[notes]=|-\ In the SMTP server VRFY and EXPN are enabled by default and I was unable to turn these commands off. They could be used by spammers to verify accounts. This was verified for Viking 1.07 /-|=[plug]=|-\ A temporary fix was made available in 15 minutes after e-mailing. The quick and friendly response was just outstanding. /-|=[fix]=|-\ It is best to download the latest version at www.robtex.com. A other possibility is to add the following line to httpd.cnf Wild http:*%2e* x-viking:/na I would suggest upgrading, but if that is impossible, the above fix will properly prevent this problem to be exploited on a server. Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 10:20:34 PDT