[Full-Disclosure] VisNetic WebSite Path Disclosure Vulnerability

From: Peter Kruse (kruse_at_krusesecurity.dk)
Date: 07/02/03

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] Microsoft Cries Wolf ( again )"
    To: "'Vulnwatch'" <vulnwatch@vulnwatch.org>, "'Bugtraq'" <bugtraq@securityfocus.com>, "'Netsys'" <full-disclosure@netsys.com>
    Date: Wed, 2 Jul 2003 00:23:31 +0200
    
    

    Name: VisNetic WebSite Path Disclosure Vulnerability
    Date: 2nd of July 2003
    Software affected: VisNetic WebSite 3.5, Service release 17
    (prior versions are vulnerable)
    Advisory: http://www.krusesecurity.dk/advisories/vis0103.txt
    Vendor: http://www.deerfield.com/download/visnetic_website/
    Risk: Low/Medium

    Vendor Description:

    VisNetic Website, the first web server developed specifically for
    Windows,
    can use almost any development platform, and includes features that
    allow
    web developers to create powerful, flexible web sites. VisNetic WebSite
    is a secure windows-based web server that supports multiple domains, and
    allows TLS/SSL secured domains. This web server also includes support
    for
    a user database that can restrict access to content, and is immune to
    many of the security issues that may arise with other popular web
    servers.

    Problem:

    When requesting a certain file from the vti-bin folder from Visnetic
    Website, a folder that doesn't exist, the error message returned will
    reveal
    the absolute local path of the web folder on the target host's
    filesystem.

    POC (simpel, eh?):
    http://www.somehost.com/_vti_bin/fpcount.exe/

    will return the following error
    (including the local path of the installed webpage):

    ->

    500 Server Error

    The server encountered an error and was unable to complete your request.

    Message: Empty output from CGI program c:/localpath/_vti_bin/fpcount.exe

    Please contact the server administrator at postmaster@somehost.com and
    inform them
    of the time the error occured, plus anything you know of that may have
    caused the error.

    <-

    As you can see, the data returned by Visnetic Website, includes
    information about the
    local filesystem, that could be misused to gain sensitive information
    about the
    configuration of the Remote host.

    Solution:
    The problem should, according to Visnetic, have been resolved in the
    latest build of
    VisNetic WebSite that is available on the Visnetic Website download
    page.
    This I canīt confirm.

    The update can be downloaded from the Visnetic WebSite administration
    console, support
    tab, check for updates (at the bottom of the tab).

    Kind regards

    Peter Kruse
    Kruse Security
    http://www.krusesecurity.dk

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] Microsoft Cries Wolf ( again )"

    Relevant Pages