SecurityOffice Security Advisory:// Essentia Web Server Directory Traversal Vulnerability

From: Tamer Sahin (tamer@ONAR.COM.TR)
Date: 02/22/02 

Date:         Fri, 22 Feb 2002 22:17:26 +0200
From: Tamer Sahin <tamer@ONAR.COM.TR>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Essentia Web Server Directory Traversal Vulnerability

Type:

Directory Traversal

Release Date:

February 22, 2002

Product / Vendor:

The Essentia Web Server provides Enhanced Web Application and
Communication Services. Whether you are setting up a simple Web Site
on your Corporate Intranet or creating large sites for the Internet,
Essentia provides a simple and flexible way to make an even stronger
Web and Applications Platform.

http://www.essencomp.com/

Summary:

Adding the string "/../" to an URL allows an attacker to view and
download any file on the server.

http://host/../../

Tested:

Windows 2000 / Essentia Web Server 2.1

Vulnerable:

Essentia Webserver 2.1 (And may be other.)

Disclaimer:

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:

Tamer Sahin
ts@securityoffice.net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPHanVLuLpFMrXtywEQJXcwCffudTxOTjxoMAcvyzwnH1j9t3wM0AmgN8
3em0jMpGTxavQ7S9eNip0o7U
=j44y
-----END PGP SIGNATURE-----

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by Qualys - Make Your Network Secure
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Go Beyond PARTIAL Security: FREE White Paper

Stop hassling with half-baked ENTERPRISE SECURITY.
FREE White Paper shows you how to ensure TOTAL security for your Internet
perimeter with the most current and most complete PROACTIVE Vulnerability
Assessment solution. Get your FREE White Paper now. Click here!
https://www.qualys.com/forms/techwhite_86.html
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Relevant Pages

  • [NT] Essentia Web Server DoS Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Essentia Web Server provides Enhanced Web ... product allows attackers to cause the server to crash effectively causing ... Essentia Web Server DoS Vulnerability ...
    (Securiteam)
  • SecurityOffice Security Advisory:// Essentia Web Server DoS Vulnerability
    ... Essentia Web Server DoS Vulnerability ... Communication Services. ... Go Beyond PARTIAL Security: FREE White Paper ... perimeter with the most current and most complete PROACTIVE Vulnerability ...
    (NT-Bugtraq)
  • Alert: Release of MS02-008 Security Bulletin - MSXML
    ... Microsoft rates this issue as Moderate for Internet/Intranet services, ... Stop hassling with half-baked ENTERPRISE SECURITY. ... FREE White Paper shows you how to ensure TOTAL security for your Internet ... perimeter with the most current and most complete PROACTIVE Vulnerability ...
    (NT-Bugtraq)
  • [EXPL] Essentia Web Server Exploit Code Released
    ... Beyond Security in Canada ... The Essentia Web Server provides Enhanced Web Application and ... // Build buf memset ); ptr = buf; strcat; ... strcat; ...
    (Securiteam)
  • SecurityOffice Security Advisory:// Essentia Web Server Vulnerabilities (Vendor Patch)
    ... Thank you for evaluating the trial version of Essentia Web Server. ... The Security problems pointed by you as well as some minor updates ... Do you have 128-bit SSL encryption server security? ... Get VeriSign's FREE Guide, "Securing Your Web Site for Business," and learn ...
    (NT-Bugtraq)