[UNIX] File Disclosure Vulnerability in Simple Web Server

From: support@securiteam.com
Date: 11/10/02


From: support@securiteam.com
To: list@securiteam.com
Date: 10 Nov 2002 11:13:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure, please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  File Disclosure Vulnerability in Simple Web Server
------------------------------------------------------------------------

SUMMARY

As its name suggests, Peter Sandvik's <http://www.linuxstuffs.cjb.net/>
Simple Web Server is a Linux-based web server. A security vulnerability in
the product allows remote attackers to view the content of files even if
they were supposed to be executed (such is in the case of CGIs).

DETAILS

Vulnerable systems:
 * Simple Web Server 0.5.1

Restricted files can be remotely accessed because of Simple Web Server's
failure to properly handle malformed URL requests for said files. For
example, if a standard URL to access a restricted file is
http://server.com/secret/file, the altered URL
http://server.com///secret/file will bypass any access control on that
file, thereby granting unauthorized access to it.

Analysis:
The resulting damage from accessing restricted files on the web server is
dependent on the actual file accessed and what kind of information is
contained within. Simple Web Server is not a widely distributed web
server, according to Netcraft.com. As such, the likelihood of widespread
exploitation is unlikely.

Workaround:
Migrate to other supported web servers, being the software is no longer
actively maintained.

Vendor response:
Peter Sandvik said he will suspend work on the project for now, being he
"doesn't have time to work on it."

Disclosure timeline:
08/29/2002 Issue disclosed to iDEFENSE
09/25/2002 Maintainer, Peter Sandvik notified
09/25/2002 iDEFENSE clients notified
09/25/2002 Response received from Peter Sandvik (peter.sandvik@home.se)
09/26/2002 Started e-mail discussions regarding status of software support
10/31/2002 Last e-mail received regarding status of software support
11/08/2002 Public disclosure

ADDITIONAL INFORMATION

The original advisory can be downloaded by going to:
 <http://www.idefense.com/advisory/11.08.02a.txt>
http://www.idefense.com/advisory/11.08.02a.txt

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE, the vulnerability was discovered by
<mailto:ts@securityoffice.net> Tamer Sahin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.