lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 21 May 2003 19:40:00 -0700
From: D4rkGr3y <grey_1999@...l.ru>
To: bugtraq@...urity.nnov.ru, bugtraq@...urityfocus.com
Subject: EServ/2.99: problems


-----BEGIN PGP SIGNED MESSAGE-----

###############################################################*
#          Damage Hacking Group security advisory
#                     www.dhgroup.org
###############################################################*
#Product: EServ/2.95-99
#Authors: Etype Co. [www.eserv.ru]
#Vulnerability: multiple bugs
###############################################################*

#Overview#-----------------------------------------------------#
Imho Eserv is the best russian server. It includes http, pop,
smtp, ftp, nntp, socks, proxy, finger servers. You can download
it from www.eserv.ru .

#Problems#------------------------------------------------------#
1. Viewing web-directory content even if there is an index-file.
Ex.:
GET /? HTTP/1.1
This request will return content of wwwroot dir.

2. Any remote user can use http\ftp servers as anonymous (!!!)
proxy servers even if the password is set in settings or
proxy is switched off! So, if administrator wants to use http
server on 80 port and doesn`t want to use http proxy on 8080
he could not manage it. Through 80 port any person can
browse the Internet.
The interesting thing is that it works in back order.
For example, if user has switched http server off and http
proxy is on, he can use it as a standard web server. And it is
obvious that if user has no site there is no index.html! And we
can see contents of a folder wwwroot.

The authors insisted that server had troubles because i had
installed it over the previous version. And that it has
no vulnerabilities in default configuration. I insure you
that it is not truth.

PS. I want to remind you that ftp server also can be used as ftp
proxy.

#wow#-----------------------------------------------------------#
%$#@ www.dhgroup.org -=> opened English version! Come on in :)

#eof

Best regards               www.dhgroup.org
  D4rkGr3y                    icq 540981

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQCVAwUBPsw4e24LIpseSJmPAQFocgP+JOaORsuvFNodcJwl4xX5//V7EYvPa1h3
VlHuXfuC0MpDrdlK7i4cMQcHm/DCklucF5FTyIU4aNgsHm4GWkyko3oZLAmGCk2E
GqfyEN69NYUJh/KpRcpBc4KhDUslH2AOuZD/RvW8CM7vqnI0D+PG+JCM22Bf8e1m
PpAOcMFuWZ4=
=6JlP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ