SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   LiteWeb Vendors:   Perception
LiteWeb Lets Remote Users Access Restricted Pages
SecurityTracker Alert ID:  1014096
SecurityTracker URL:  http://securitytracker.com/id/1014096
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5
Description:   Ziv Kamir from Global Security Solution IT reported a vulnerability in LiteWeb. A remote user can access ostensibly protected files on the target system.

A remote user can invoke the following type or URLs to access password-protected files on the target server without having to authenticate:

http://[target]/\admin\/login.html

http://[target]//admin//login.html

The vendor was notified on June 2, 2005.
Impact:   A remote user can access password-protected files on the target system.
Solution:   No solution was available at the time of this entry. The vendor plans to issue a fix in the next version.
Vendor URL:  www.cmfperception.com/liteweb.html (Links to External Site)
Cause:   Authentication error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Thu, 2 Jun 2005 11:24:08 -0700 (PDT)
Subject:  LiteWeb 2.5



02/06/05


====================================
 GSSIT - Global Security Solution IT
====================================		

-------------------------------------------------------

Application: LiteWeb Server
Web Site:    www.cmfperception.com
Versions:    2.5
Platform:    Windows 
Bug:         An access control vulnerability.
             
                           
Credits:
########

#########################################
#         ==  Ziv Kamir ==              #
#                                       #
# GSSIT - Global Security Solution IT   #                   
#                                       #
#     Email : gss_it@yahoo.com          #
#                                       #
#     Web   : www.gssit.co.il           #
#                                       #
#########################################

---------------------

1) Introduction
2) Bug
3) The Code
4) Fix


================
1) Introduction
================

LiteWeb is a powerful web server that handles multiple domains 
and supports PHP, Perl, MySQL, and much more. 


=======
2) Bug
=======

A remote user may obtain password-protected files on the server without having to authenticate. 


===========
3) The Code
===========

http://Target/\admin\/login.html

http://Target//admin//login.html


======
4) Fix
======

Date of Vendor Notification:
----------------------------

02/06/05

Response:
---------

02/06/05

It will be fixed in the next version.



==============================================================================================

                 *** The Data is for educational purpose only. *** 

          The information in this bulletin is provided "AS IS" without 
          warranty of any kind. In no event shall we be liable for any 
          damages whatsoever including direct, indirect, incidental, 
          consequential, loss of business profits or special damages. 

==============================================================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC