Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability

From: Tamer Sahin (tamer@ONAR.COM.TR)
Date: 01/14/02 

Date:         Tue, 15 Jan 2002 00:41:36 +0200
From: Tamer Sahin <tamer@ONAR.COM.TR>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability

Type:
Directory Traversal

Release Date:
December 15, 2002

Product / Vendor:
Web Server 4D/eCommerce is a single application that includes a
shopping cart, credit card authorization, and order tracking.

http://www.mdg.com

Summary:
A vulnerability exists in WS4D/eCommerce which could allow an
unauthorized user to gain access to a known file residing on the
target host.

This is achievable if a specially crafted URL composed of double dot
"../" directory traversal sequences, with Unicode character
representations substituted for "/" and "\" , is submitted to a host.

Example:
http://host/%2f..%2f..%2f../ws4d.log.txt

And view webserver log file.

Tested:
Windows 2000 / Web Server 4D/eCommerce 3.5.3

Vulnerable:
Web Server 4D/eCommerce 3.5.3 (And may be other)

Disclaimer:
http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Authors:
Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPENen7uLpFMrXtywEQLnVQCdGhlNqNuWlluKNn+D7SXO2LyW9c8AoMNE
XKb9PeN8Ro9jxsTVgHpLs7JC
=bi0h
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================

Relevant Pages

  • SecurityFocus Microsoft Newsletter #102
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows Media Player File Attachment Script Execution... ... Microsoft TSAC ActiveX Control Buffer Overflow Vulnerability ... Abyss Web Server Malicious HTTP Request Information Disclosure... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #95
    ... MICROSOFT VULNERABILITY SUMMARY ... BEA Systems WebLogic Server and Express Race Condition Denial... ... Key Focus KF Web Server Directory Contents Disclosure... ... KMMail Code Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #93
    ... cyber attacks and bulletproof countermeasures to prevent attacks before ... MICROSOFT VULNERABILITY SUMMARY ... YaBB Invalid Topic Error Page Cross Site Scripting Vulnerability ... GameCheats Advanced Web Server Malformed HTTP Request Denial Of... ...
    (Focus-Microsoft)
  • [NT] Xedus Webserver Directory Traversal and DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Xedus web server is vulnerable to a directory traversal. ... this vulnerability constitutes a denial of ...
    (Securiteam)
  • RE: New HP Jetdirect SNMP password vulnerability when using Web JetAdmin
    ... The issue at hand stems from the fact that the web server in older ... If you set the snmp community string to anything other than the ... New HP Jetdirect SNMP password vulnerability when using Web ... -A Web Jetadmin "device password" had been set on the JetDirect card. ...
    (Bugtraq)