myServer Input Validation Flaw Discloses Files on the System to Remote Users
|
|
SecurityTracker Alert ID: 1007816
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Sep 26 2003
|
Original Entry Date: Sep 25 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.4.3
|
Description: Arnaud Jacques (aka scrap) reported a directory traversal vulnerability in myServer. A remote user can view arbitrary files on the system with the privileges of the web service.
It is reported that a remote user can submit a specially crafted URL to view files on the system that are located outside of the
web document directory. To exploit this flaw, the URL must be composed of a combination of directory traversal characters. For
each change in directory level, the URL should contain the '/.' string once for each change plus an additional occurrence, followed
by the appropriate number of '/..' strings. Some demonstration examples are provided:
/././..
/./././../..
/././././../../..
/./././././../../../..
The
original advisory (including a screen shot) is available at:
http://www.securiteinfo.com/attaques/hacking/myServer0_4_3.shtml
|
Impact: A remote user can view files on the system that are located outside of the web document directory with the privileges of the myServer process.
|
Solution: The vendor has released a fixed version (0.5), available at:
http://sourceforge.net/project/showfiles.php?group_id=63119
|
Vendor URL: myserverweb.sourceforge.net/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: scrap <webmaster@securiteinfo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 25 Sep 2003 23:01:22 +0200
From: scrap <webmaster@securiteinfo.com>
Subject: myServer 0.4.3 Directory Traversal Vulnerability
|
myServer 0.4.3 Directory Traversal Vulnerability
.oO Overview Oo.
myServer version 0.4.3 shows files and directories that reside outside the
normal web root directory.
Discovered on 2003, August, 23th
Vendor: Myserver (http://myserverweb.sourceforge.net/forum/portal.php)
MyServer is a free, powerful web server program designed to be easily run on a
personal computer by the average computer user. It is a multithread
application and supports HTTP, CGI, ISAPI, WinCGI and FastCGI protocols. It
is available on Windows and Linux Operating Systems. This web server can
shows file and directory content that reside outside the normal web root
directory.
Original text is at
http://www.securiteinfo.com/attaques/hacking/myServer0_4_3.shtml
.oO Details Oo.
The vulnerability can be done using any browser. You just have to send a
specially crafted dot-dot URL to retreive any file outside of the root
directory.
.oO Exploit Oo.
You have to create a dot-dot URL with the same number of "/./" and "/../" + 1.
For example, you can use :
/././..
/./././../..
/././././../../..
/./././././../../../..
etc...
.oO Solution Oo.
The vendor has been informed and has solved the problem.
Download MyServer 0.5 at
http://sourceforge.net/project/showfiles.php?group_id=63119
.oO Discovered by Oo.
Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com
|
|
