[NT] Directory Traversal in Dino's Web Server (%2F)

From: support@securiteam.com
Date: 09/24/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 24 Sep 2002 19:52:45 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Directory Traversal in Dino's Web Server (%2F)
------------------------------------------------------------------------

SUMMARY

Dino web server is a tiny web server - all it does is to publish your web
site from whatever Windows based operating system. A vulnerability has
been discovered in Dino's web server that allows a remote attacker to view
the contents of arbitrary files.

DETAILS

Vulnerable systems:
 * Dino's Web Server version 1.2

It is possible to cause Dino's Web Server to navigate to any desired
folder in the same logical drive and access the files in it. This can be
achieved by using the URL encoded character representations of "/" and
"\". This allows a user to traverse the server to any directory on the
same logical drive as the web application. e.g.
http://$host/%2f..%2f..%2f..$directory$file

Vendor response:
The author Anders Jensen, outdoors@tiscali.no, stated:

"My web server will be removed from the download page that I control. I
neither have the time or resources to do anything else at the moment."

The public download site, <http://home.no.net/~nextgen/>
http://home.no.net/~nextgen/ has been replaced with a message reading
"Dino`s FunSoft is no longer available. The software will maybe in the
future be available on another label, but when and if for sure I really
cannot tell, sorry. Dino_"

Dino's Web Server remains available however via many other download sites
such as download.com, etc.

Disclosure timeline:
8/10/2002 - Disclosed to iDEFENSE
9/6/2002 - Disclosed to Vendor, Anders Jensen
9/6/2002 - Disclosed to iDEFENSE Clients
9/14/2002 - Vendor Response
9/23/2002 - Public Disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:dendler@idefense.com> David
Endler.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.