Small HTTP Server Discloses Administrator Password to Local Users
|
|
SecurityTracker Alert ID: 1007340
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 30 2003
|
Impact: Disclosure of authentication information, User access via local system
|
Exploit Included: Yes
|
Version(s): 3.03998
|
Description: CyberTalon reported an authentication information disclosure vulnerability in the Small HTTP Server. A local user can view the administrator's password.
It is reported that the software stores the administrator's password in plain text in the 'C:/shttp/http.cfg' file.
|
Impact: A local user can view the administrative password.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: home.lanck.net/mf/srv/index.htm (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: cyber talon <cyber_talon@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 30 Jul 2003 16:56:45 -0300
From: cyber talon <cyber_talon@hotmail.com>
Subject: Small WebServer Local Password Vulnerability
|
Small WebServer 3.03998 Local Password Vulerablity
Found by: CyberTalon
1. Intro
2. Problem
3. Solution
4. Ending
1. I found a local password vulnerability in Small WebServer 3.03998.
2. Small WebServer stores the administrator's password in C:/shttp/http.cfg.
This could allow an attacker to steal the administrator's password to the
Webserver.
3. They need to use encryption when storing the password.
4. This could allow an attacker to compromise the server if they could get
to it, and read it out of the http.cfg locally.
-CT
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
|
|
