lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3EF74A3C.5010606@tripbit.org>
Date: Mon, 23 Jun 2003 20:43:08 +0200
From: "Rushjo@...pbit.org" <rushjo@...pbit.org>
To: bugtraq@...urityfocus.com
Subject: TA-2003-06 Directory Transversal Vulnerability in iWeb Server 2


TA-2003-06 Directory Transversal Vulnerability in iWeb Server 2
contributed by: rushjo
====================================================================================== 


Tripbit Security Advisory

TA-2003-06 Directory Transversal Vulnerability in iWeb Server 2
====================================================================================== 




PROGRAM: iWeb Server 2
HOMEPAGE: http://www.ashleybrown.co.uk/iweb/
VULNERABLE VERSIONS: 2
RISK: High/Medium
IMPACT: Directory Transversal Vulnerability
RELEASE DATE: 2003-06


======================================================================================
TABLE OF CONTENTS
====================================================================================== 




1..........................................................DESCRIPTION
2..............................................................DETAILS
3............................................................SOLUTIONS
4........................................................VENDOR STATUS
5..............................................................CREDITS
6...........................................................DISCLAIMER
7...........................................................REFERENCES
8.............................................................FEEDBACK


1. DESCRIPTION
====================================================================================== 




"The iWeb Mini Web Server is a mini web server designed for use on
Intranets and for
testing websites in a realistic environment."

(This description is taken from the website of Ashley Brown)


2. DETAILS
====================================================================================== 




ยค Directory Transversal Vulnerability:


There is an other Directory Transversal Vulnerability in iWeb Server
which allows
an remote attackers to see the content of the requested file.


for example:

	  http://host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows\system.ini



3. SOLUTIONS
====================================================================================== 




No solution for the moment.



5. VENDOR STATUS
====================================================================================== 




The vendor has reportedly been notified. But the vendor told us that is an
old bug. We don't think so.



6. CREDITS
====================================================================================== 




Discovered by posidron



7. DISLAIMER
====================================================================================== 




The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.



8. REFERENCES
====================================================================================== 




- Original Version:
http://www.tripbit.org


9. FEEDBACK
======================================================================================


Please send suggestions, updates, and comments to:


Tripbit Security Advisory
http://www.tripbit.org
rushjo@...pbit.org
posidron@...pbit.org







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ