[NEWS] Abyss WebServer Brute Force Vulnerability
From: support@securiteam.com
Date: 02/15/03
- Previous message: support@securiteam.com: "[NEWS] MacOS X TruBlueEnvironment Privilege Escalation Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 15 Feb 2003 21:34:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Abyss WebServer Brute Force Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.aprelium.com/> Abyss Web Server is a free, easily configured
web server designed for Windows and Linux operating systems. The vendor,
Aprelium, targets small businesses and personal use with this "fast,
small, and easy to use" server. The main feature is a remote web
management interface where a user can configure the server in a matter of
minutes. A vulnerability in the product allows remote attackers to try and
brute force the password protecting the administrator interface without
getting noticed, or stopped.
DETAILS
Vulnerable systems:
* Abyss WebServer version 1.1.2
By connecting to the remote web-management interface at:
http://abyss_server:9999
An attacker can use a brute-force method to gain access to the server.
There is no delay in a wrong attempt and attackers are given an indefinite
number of attempts at entering a valid user and password. Unlike the
access.log file for port 80, Abyss has no logging for port 9999. This
allows an attacker to perform unseen.
Vendor Response:
Aprelium was notified and will soon release an updated version of the
server to include a fix for the brute-force attack and logging of port
9999. The vendor was also notified of several directories and files having
write privileges. It was agreed that a user should set permissions
themselves, but there is no documentation telling a user what has write
access by default. Aprelium has also decided to add a fix for the default
permissions of directories and files.
ADDITIONAL INFORMATION
The information has been provided by <mailto:tgadams@bellsouth.net>
thomas adams.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] HPUX 'Disable' Buffer Overflow Vulnerability"
- Previous message: support@securiteam.com: "[NEWS] MacOS X TruBlueEnvironment Privilege Escalation Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
