lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3D8F442F.9992.1EC85A1@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 09.23.2002
Directory Traversal in Dino's WebServer

DESCRIPTION

A vulnerability exists in the latest version of Dino’s Webserver that
can allow an attacker to view and retrieve any file on the system. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-1133 to this issue.
 
ANALYSIS

An exploit is possible from an attacker constructing a URL that would
cause Dino's Webserver to navigate to any desired folder in the same
logical drive and access the files in it. This can be achieved by
using the URL encoded character representations of "/" and "\". This
allows a user to traverse the server to any directory on the same
logical drive as the web application. e.g.
http://$host/%2f..%2f..%2f..$directory$file

This issue is similar to CVE-2002-0111 which involved a traditional
.. directory traversal flaw that was fixed.


DETECTION

This vulnerability affects Dino’s Webserver version 1.2


VENDOR RESPONSE

The author Anders Jensen, outdoors@...cali.no, stated:

"My webserver will  be removed from the download`s  that I control, I
neither hav the time or resources to do anything else at the moment."

The public download site, http://home.no.net/~nextgen/ has been
replaced with a message reading "Dino`s FunSoft is no longer
available. the software will maybe somtime in the future be available
on another label, but when and if for shure I really can`t tell,
sorry. Dino_"

Dino's Webserver remains available however via many other download
sites such as download.com, etc.


DISCLOSURE TIMELINE

8/10/2002 - Disclosed to iDEFENSE
9/6/2002 - Disclosed to Vendor, Anders Jensen
9/6/2002 - Disclosed to iDEFENSE Clients
9/14/2002 - Vendor Response
9/23/2002 - Public Disclosure


CREDIT

This issue was exclusively disclosed to iDEFENSE by Tamer Sahin
(ts@...urityoffice.net).  


Get paid for security research:
http://www.idefense.com/contributor.html


David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@...fense.com
www.idefense.com


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPY98GUrdNYRLCswqEQI72ACg9Wk4Sz3/UMw48BBuexmMeYDbO7kAoMKX
KWsbJK1rUChBvXQcW/0wbB4F
=ymjN
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ