Strumpf Noir Society Advisories ! Public release ! <--# -= Multiple Vulnerabilities In AMLServer =- Release date: Monday, June 18, 2001 Introduction: Air Messenger LAN Server is a paging gateway server for MS Windows that allows you to send and recieve messages to a paging network over a TCP/IP LAN to phones, pagers and e-mail. AMLServer is available from vendor Internet Software Solutions's website: http://www.internetsoftwaresolutions.org Problem(s): AMLServer Directory Traversal Problem AMLServer's "Webpaging" http interface is susceptible to a directory traversal attack. Adding the string "../" to a URL allows an attacker access to files outside of the webserver's publishing directory. This allows read access to any file on the server. AMLServer Plaintext Password Storage A second problem is found in the file pUser.Dat. All username/password combinations applicable to the various services provided by AMLServer are stored in this file in plaintext. AMLServer Path Disclosure The mentioned userfile is stored in the server's main directory. The exact location can be obtained exploiting another problem in the web interface, a path disclosure bug. The http-header field 'Location' contains the full path to servermaindir/Messages. For example: $ telnet target 80|grep Location Location: http://C:\PROGRA~1\ISS\AIRMES~1\Messages Connection closed by foreign host. (..) Solution: Vendor has been notified and has expressed the intention to fix these problems in version 4. Unfortunately, at the time of this advisory the vendor wasn't able to supply us with an approximate date for this "fixed" release so we have not been able to verify this. This was tested against AMLServer 3.4.2 on Win2k. yadayadayada Free sk8! (http://www.freesk8.org) SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 16:14:27 PDT