[VulnWatch] iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver

From: David Endler (dendler@idefense.com)
Date: 09/23/02


From: "David Endler" <dendler@idefense.com>
To: vulnwatch@vulnwatch.org
Date: Mon, 23 Sep 2002 16:41:19 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 09.23.2002
Directory Traversal in Dino's WebServer

DESCRIPTION

A vulnerability exists in the latest version of Dinoís Webserver that
can allow an attacker to view and retrieve any file on the system.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-1133 to this issue.
 
ANALYSIS

An exploit is possible from an attacker constructing a URL that would
cause Dino's Webserver to navigate to any desired folder in the same
logical drive and access the files in it. This can be achieved by
using the URL encoded character representations of "/" and "\". This
allows a user to traverse the server to any directory on the same
logical drive as the web application. e.g.
http://$host/%2f..%2f..%2f..$directory$file

This issue is similar to CVE-2002-0111 which involved a traditional
.. directory traversal flaw that was fixed.

DETECTION

This vulnerability affects Dinoís Webserver version 1.2

VENDOR RESPONSE

The author Anders Jensen, outdoors@tiscali.no, stated:

"My webserver will be removed from the download`s that I control, I
neither hav the time or resources to do anything else at the moment."

The public download site, http://home.no.net/~nextgen/ has been
replaced with a message reading "Dino`s FunSoft is no longer
available. the software will maybe somtime in the future be available
on another label, but when and if for shure I really can`t tell,
sorry. Dino_"

Dino's Webserver remains available however via many other download
sites such as download.com, etc.

DISCLOSURE TIMELINE

8/10/2002 - Disclosed to iDEFENSE
9/6/2002 - Disclosed to Vendor, Anders Jensen
9/6/2002 - Disclosed to iDEFENSE Clients
9/14/2002 - Vendor Response
9/23/2002 - Public Disclosure

CREDIT

This issue was exclusively disclosed to iDEFENSE by Tamer Sahin
(ts@securityoffice.net).

Get paid for security research:
http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPY98GUrdNYRLCswqEQI72ACg9Wk4Sz3/UMw48BBuexmMeYDbO7kAoMKX
KWsbJK1rUChBvXQcW/0wbB4F
=ymjN
-----END PGP SIGNATURE-----