- ------------------------------------------------------------ itcp advisory 14 advisories@it-checkpoint.net http://www.it-checkpoint.net/advisory/14.html May 8th, 2002 - ------------------------------------------------------------ Lysias Lidik Webserver suffers from a Directory Traversal Vulnerability - ------------------------- Affected programs: Lysias Lidik Webserver 0.7b URL: www.lysias.de Vendor: L.Y.S.I.A.S. Vulnerability-Class: Directory Traversal OS specific: Windows Problem-Type: remote SUMMARY Lysias Lidik Webserver is quite a small Webserver (Installation file is about 700 KB) and offers various features including SSL-Support. Further, it seems to be an attempt to create a secure webserver since "not allowed requests" are shown seperated from the usual requests. ( I love programmers who also think about the safety of their programs). DETAILS When trying to request http://localhost/../, it didn't work but the number of "not allowed requests" increased by 1. Then, trying it with http://localhost////./../.../ , it suddenly worked and i got the contents of E:, on which the Server root lies in \security. IMPACT The Server root can be exited and almost any file on the same disk could be downloaded (including password files or other sensitive information). It seems like it is not possible to enter directories in this way which have a space in their name (%20 at the browser). EXPLOIT If the webserver is running at localhost, just enter http://localhost/.../ in the address windows at the browser. SOLUTION Since there already seems to exist a protection against regular Directory Traversal attempts (/../), this should be widened to prevent Directory Traversal attempts with three (or multiple) dots. Entering more than three dots doesn't work for me. ADDITIONAL INFORMATION Vendor has been contacted. Bug discovered and published by Florian "BlueScreen" Hobelsberger ( BlueScreen@IT-Checkpoint.net ) from www.IT-Checkpoint.net ----------------------- DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 20:37:18 PDT