iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver

From: David Endler (dendlerat_private)
Date: Mon Sep 23 2002 - 13:41:19 PDT

Next message: secureat_private: "[CLA-2002:526] Conectiva Linux Security Announcement - xchat"

Previous message: Dave Ahmad: "[security bulletin] SSRT2362 WEBES Service Tools (HP Tru64 UNIX, HP OpenVMS, Windows) Potential File Access Vulnerability (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 09.23.2002
Directory Traversal in Dino's WebServer

DESCRIPTION

A vulnerability exists in the latest version of Dino’s Webserver that
can allow an attacker to view and retrieve any file on the system. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-1133 to this issue.
 
ANALYSIS

An exploit is possible from an attacker constructing a URL that would
cause Dino's Webserver to navigate to any desired folder in the same
logical drive and access the files in it. This can be achieved by
using the URL encoded character representations of "/" and "\". This
allows a user to traverse the server to any directory on the same
logical drive as the web application. e.g.
http://$host/%2f..%2f..%2f..$directory$file

This issue is similar to CVE-2002-0111 which involved a traditional
.. directory traversal flaw that was fixed.


DETECTION

This vulnerability affects Dino’s Webserver version 1.2


VENDOR RESPONSE

The author Anders Jensen, outdoorsat_private, stated:

"My webserver will  be removed from the download`s  that I control, I
neither hav the time or resources to do anything else at the moment."

The public download site, http://home.no.net/~nextgen/ has been
replaced with a message reading "Dino`s FunSoft is no longer
available. the software will maybe somtime in the future be available
on another label, but when and if for shure I really can`t tell,
sorry. Dino_"

Dino's Webserver remains available however via many other download
sites such as download.com, etc.


DISCLOSURE TIMELINE

8/10/2002 - Disclosed to iDEFENSE
9/6/2002 - Disclosed to Vendor, Anders Jensen
9/6/2002 - Disclosed to iDEFENSE Clients
9/14/2002 - Vendor Response
9/23/2002 - Public Disclosure


CREDIT

This issue was exclusively disclosed to iDEFENSE by Tamer Sahin
(tsat_private).  


Get paid for security research:
http://www.idefense.com/contributor.html


David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendlerat_private
www.idefense.com


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPY98GUrdNYRLCswqEQI72ACg9Wk4Sz3/UMw48BBuexmMeYDbO7kAoMKX
KWsbJK1rUChBvXQcW/0wbB4F
=ymjN
-----END PGP SIGNATURE-----

Next message: secureat_private: "[CLA-2002:526] Conectiva Linux Security Announcement - xchat"
Previous message: Dave Ahmad: "[security bulletin] SSRT2362 WEBES Service Tools (HP Tru64 UNIX, HP OpenVMS, Windows) Potential File Access Vulnerability (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 13:57:34 PDT