[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3DAC1443.14310.20684EFB@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory 10.15.02: DoS and Directory Traversal Vulnerabilities in WebServer 4 Everyone
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 10.15.02:
http://www.idefense.com/advisory/10.15.02.txt
DoS and Directory Traversal Vulnerabilities in WebServer 4 Everyone
October 15, 2002
I. BACKGROUND
RadioBird Software's WebServer 4 Everyone is a free "Powerful,
MultiClient, yet Easy to handle and maintain, WebServer.". It is
available for download at http://www.freeware.lt/ .
II. DESCRIPTION
Issue 1:
Improper bounds checking allow attackers to launch a denial of
service (DoS) attack, causing the web server to crash. The condition
is triggered when the software receives a request for a long
filename, such as GET /AAAAAAAA...3000...AAAA HTTP/1.1 .
Issue 2:
A directory traversal issue exists. The software can be duped into
serving a restricted file. This is done if an attacker issues a
directory traversal request with the hexadecimal representation for
the front slash character (%2F). For example, if the URL
http://target.server/%2f..%2f..%2f../winnt/repair/sam were sent to a
target server, the SAM table would be retrieved.
A vulnerability exists that provides attackers access to arbitrary
files on the server running the application.
III. ANALYSIS
For Issue 1, exploitation could allow an attacker to deny legitimate
users access to the server and the contents that it provides.
For Issue 2, exploitation allows an attacker to obtain sensitive
information, such as the Windows NT SAM table. This kind of
information can allow further compromise of the targeted host.
Sensitive information such as credit cards can also be retrieved.
Customers should note that an remote user with access to the
application can launch these attacks.
IV. DETECTION
iDEFENSE has confirmed the existence of both vulnerabilities in
WebServer 4 Everyone, versions 1.23 and 1.27. Earlier versions are
likely affected, as well.
V. VENDOR FIX
Leonardas Survila of Radiobird Software released WebServer 4
Everyone, version 1.30, which fixes the problems. It is downloadable
at ftp://ftp.freeware.lt/anonymous/Soft/w4asetup.exe.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1212 to Issue 1 and
CAN-2002-1213 to Issue 2.
VII. DISCLOSURE TIMELINE
10/06/2002 Issues disclosed to iDEFENSE
10/14/2002 Vendor notified via e-mail to ulterior@...eware.lt
10/14/2002 iDEFENSE clients notified
10/14/2002 Response received from Leonardas Survila
(leonardass@....lt)
10/15/2002 Vendor fix created
10/15/2002 Coordinated public disclosure
VIII. CREDIT
Tamer Sahin (ts@...urityoffice.net) discovered both of these
vulnerabilities.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@...fense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.
- -dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@...fense.com
www.idefense.com
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPaxMJkrdNYRLCswqEQIabQCdEXlBmEBU0u2z09zztLpto/p0GSEAoL2j
hG8hLEn20rIAAo6QitYW9/7M
=JI4s
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists