[NT] LilHTTP Web Server Protected File Access Vulnerability

From: support@securiteam.com
Date: 02/25/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 25 Feb 2002 14:23:45 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  LilHTTP Web Server Protected File Access Vulnerability
------------------------------------------------------------------------

SUMMARY

 <http://www.summitcn.com/lilhttp/lildocs.html> LilHTTP Web Server is very
small yet very powerful Web Server. This server is just under 120k in size
as a stand-alone EXE file.
A security vulnerability in the product allows gaining access to otherwise
protected files.

DETAILS

Vulnerable systems:
LilHTTP Server version 2.1

It is possible to construct a web request that is capable of accessing the
contents of password-protected files/folders on the web server.

Example:
http://host/./protectedfolder/protectedfile.htm

ADDITIONAL INFORMATION

The information has been provided by <mailto:ts@securityoffice.net> Tamer
Sahin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Poisoning Cached HTTPS Documents in Internet Explorer
    ... Get your security news from a reliable source. ... "poison" a user's browser cache with a malicious document that will later ... The attacker can exploit this vulnerability for "replacing" HTML ... to communicate with a malicious web server over HTTPS without the browser ...
    (Securiteam)
  • [NT] Webserver 4D Weak Password Preservation Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... complete Web Server environment written entirely on top of 4th Dimension, ... WS4D web server saves the passwords somewhere insecure. ...
    (Securiteam)
  • Re: 2003 Web Server Security flaw
    ... "Locked-down windows 2003 Web Server used only to host web sites". ... What is your logic/rationale for Media Player being a required install ... The Media Player patch was the ONLY that FAILED. ... > When talking about computer security, there are areas that have no such ...
    (microsoft.public.windows.server.security)
  • Web session tracking security prob. Vulnerable: IIS and ColdFusion (maybe others)
    ... SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. ... 2001 we reported the following problem (with specifics to IIS and SITESERVER) to the Microsoft Security Response Center. ... These vulnerabilities, especially when combined with well-known cross-site scripting vulnerabilities, could cause loss of confidentiality, failure of non-repudiation and fraud. ... The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values with each subsequent request to the web server. ...
    (Vuln-Dev)
  • [NT] Falcon Web Server Unauthorized File Disclosure Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Falcon Web Server is a desktop web server ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)