[VulnWatch] Minihttpserver 1.x Host Engine Flaws

From: Peter Winter-Smith (peter4020_at_hotmail.com)
Date: 09/15/03

  • Next message: _at_stake Advisories: "[VulnWatch] Nokia Electronic Documentation - Multiple Vulnerabilities"
    To: vulnwatch@vulnwatch.org, vuln@secunia.com, bugs@securitytracker.com
    Date: Mon, 15 Sep 2003 14:32:41 +0000
    
    

    Minihttpserver 1.x Host Engine Flaws

    Url: http://www.minihttpserver.net

    + File-Sharing for NET:

    "File Sharing for net is a complete, secure web server that shares your
    business documents and files over the web: remote users only need
    browsers to view your files. Share, transfer files securely with
    colleagues. "

    + Forums Web Server

    "WebForums Server allows you to setup a bulletin board and photo/file
    exchange web service. It offers a built in HTTP engine, internal
    database engine, integrated HTML/Script pages, user management
    interface, message board engine and a secure file Upload/Download
    option. It is without a doubt the easiest and complet all in one Forum
    Server software you have seen."

    - Both Vendors Descriptions

    Both products, in my opinion, deliver exactly what they offer, and are
    definitely a reasonable buy for the price, remembering the fact that
    you do not only get the scripts, but a well rounded webserver to boot.

    However there is one aspect in which they are seriously lacking -
    Security.

    In light of Mr Dennis Rand's recent discovery of several dangerous
    flaws within the server:

    http://www.infowarfare.dk/Advisories/iw-09-advisory.txt

    All of which (it is claimed) are fixed, you would have thought that
    security would have become quite a priority for the development team,
    but it appears this was not the case.

    It took me about two minutes to find two more dangerous flaws which
    can allow a remote user complete administrator access to the system
    file/forum system and any file on the remote server.
    These are not difficult, hard to find flaws, and I think even a few
    minutes auditing would have turned both of these up immediately.

    Flaw 1 - Directory Traversal:
    =============================

    http://server/../user.ini

    This will allow the remote unauthenticated user to break free of the
    webroot, and download any file on the system

    The example file downloads the username and password file for both
    applications, effectively allowing an intruder to access the vulnerable
    system from the web based login page without any type of malformed
    request.

    Flaw 2 - Login Parsing Flaw
    ===========================

    When Web Forum Server is first installed, it is often possible to
    gain administrator access to the forum by using the following login
    information:

    Username: Admin
    Password: "

    I have managed to also login this way by typing ' admin" ' in the
    password recovery box.

    ======================================================================

    Operating system and servicepack level:
    Windows 9x/Me/NT Based

    Software:
    + Minihttpserver 1.x
    + Web Forum Server 1.x
    + File-Sharing NET 1.x

    Under what circumstances the vulnerability was discovered:
    By mistake pretty much - Testing some older vulns.

    If the vendor has been notified:
    Yes, the vendor had been notified.

    How to contact you for further information:
    I can always be reached at peter4020@hotmail.com

    Please credit this find to:
    Peter Winter-Smith

    Thank you for your time,
    -Peter

    _________________________________________________________________
    Express yourself with cool emoticons - download MSN Messenger today!
    http://www.msn.co.uk/messenger


  • Next message: _at_stake Advisories: "[VulnWatch] Nokia Electronic Documentation - Multiple Vulnerabilities"

    Relevant Pages

    • Re: norton protection centre
      ... has flaws in both the 1.4 and 1.6 versions that allow for the attacks, ... Server attacks and rerouted to the server of the attacker's choice ... Internet security experts warned May 25. ...
      (microsoft.public.windowsxp.general)
    • Re: nfs mounts / su / yp
      ... flaws in the default configuration. ... Coda will for sure (the Coda ... server is userspace, requires no kernel support). ... with "unsubscribe freebsd-security" in the body of the message ...
      (FreeBSD-Security)
    • Re: FRS/DNS/RPC after joining 2003 Servers on 2000 domain
      ... existing 2000 servers as DC's until flaws and dependencies are ... AD-Integrated DNS server, and the other has inherited the WINS ... communication with the new DNS server (DC3). ...
      (microsoft.public.windows.server.dns)
    • Re: Moving mailboxes (part of upgrade to SBS2003!)
      ... Thanks Steve - are there any flaws to my methology for the upgrade? ... looking for a simple solution without necessarily following the Swing ... server off-site with a "spare" client pc for network testing. ... in the past - but I think there must be a means of moving the mailboxes ...
      (microsoft.public.windows.server.sbs)
    • Re: Performance PSQL 10
      ... at 9.5 on a Linux Redhat ES server installation. ... We crash the SQL engine occasionally. ... environment settings, pretty much we tried everything the Pervasive ... What we REALLY need is a long enough pause and a site willing to crash ...
      (comp.databases.btrieve)