[NT] SeaNox Devwex Denial of Service and Directory Traversal

From: support@securiteam.com
Date: 06/09/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  9 Jun 2002 17:36:17 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SeaNox Devwex Denial of Service and Directory Traversal
------------------------------------------------------------------------

SUMMARY

 <http://www.seanox.de/projects.devwex.php4> DevWex is a small and
flexible Webserver running as standalone Win32 binary and as Java
application. Two security vulnerabilities have been found in the product,
allowing attackers to cause a buffer to overflow and to access files that
reside outside the bounding HTML root directory.

DETAILS

Buffer-overflow problem:
There exists a buffer-overflow problem in the procedure handling the GET
HTTP type request. Sending more than 258383 characters after the GET
request will cause the server to crash.

Example:
GET 258383xA+CRLF+CRLF

Directory traversal:
An attacker can request an URL containing Windows path delimiters to break
out of the document root of DevWex. This allows an attacker to download
sensitive data.

Example:
GET /..\..\..\..\anyfile

ADDITIONAL INFORMATION

The information has been provided by <mailto:iuk@gmx.ch> Kistler Ueli.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: uh? security problem?
    ... Then you will have "Sharing And Security" in the ... context menu for files, folders, etc. in Windows Explorer. ... > granting access rights to the resource to the ASP.NET request identity. ... > eventArgument) +5 ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: uh? security problem?
    ... It appears that your IIS user account does not have access to that file. ... Try sharing the file and setting the security levels to allow everyone full ... > granting access rights to the resource to the ASP.NET request identity. ... > eventArgument) +5 ...
    (microsoft.public.dotnet.framework.aspnet)
  • [UNIX] Invision Power Board SQL Injection Vulnerability (sources/calendar.php)
    ... Get your security news from a reliable source. ... An SQL injection vulnerability in IPB's calendar support, ... We execute the following request: ... As it is a request of type SELECT, we can use for example the clause ...
    (Securiteam)
  • [NT] Gaining Root Access via PHP.exe
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary code by inserting into the Apache log file a malicious PHP based ... Apache will then add this request line to the access.log file. ... Test that the file can be accessed via your browser by typing ...
    (Securiteam)
  • Custom object passed to a remote object method - SecurityException
    ... Because of security restrictions, ... Unhandled Exception: System.Runtime.Serialization.SerializationException: ... ---> System.Security.SecurityException: Request failed. ... (String objectUri, Stream inputStream, Boolean bStrictBinding, ...
    (microsoft.public.dotnet.framework.remoting)