Lysias Li*** Webserver suffers from a Directory Traversal Vulnerability
From: Florian Hobelsberger / BlueScreen (genius28@gmx.de)Date: 05/08/02
- Previous message: Obscure: "Multiple Vulnerabilities in MDaemon + WorldClient"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Florian Hobelsberger / BlueScreen" <genius28@gmx.de> To: <bugtraq@securityfocus.com> Date: Wed, 8 May 2002 03:27:19 +0200
- ------------------------------------------------------------
itcp advisory 14 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/14.html
May 8th, 2002
- ------------------------------------------------------------
Lysias Li*** Webserver suffers from a Directory Traversal Vulnerability
- -------------------------
Affected programs: Lysias Li*** Webserver 0.7b
URL: www.lysias.de
Vendor: L.Y.S.I.A.S.
Vulnerability-Class: Directory Traversal
OS specific: Windows
Problem-Type: remote
SUMMARY
Lysias Li*** Webserver is quite a small Webserver (Installation file is
about 700 KB) and
offers various features including SSL-Support.
Further, it seems to be an attempt to create a secure webserver since "not
allowed requests"
are shown seperated from the usual requests.
( I love programmers who also think about the safety of their programs).
DETAILS
When trying to request http://localhost/../, it didn't work but the number
of "not allowed requests"
increased by 1.
Then, trying it with http://localhost////./../.../ , it suddenly worked and
i got
the contents of E:, on which the Server root lies in \security.
IMPACT
The Server root can be exited and almost any file on the same disk could be
downloaded
(including password files or other sensitive information).
It seems like it is not possible to enter directories in this way which have
a space in
their name (%20 at the browser).
EXPLOIT
If the webserver is running at localhost, just enter
in the address windows at the browser.
SOLUTION
Since there already seems to exist a protection against regular Directory
Traversal attempts
(/../), this should be widened to prevent Directory Traversal attempts with
three (or multiple) dots.
Entering more than three dots doesn't work for me.
ADDITIONAL INFORMATION
Vendor has been contacted.
Bug discovered and published by Florian "BlueScreen" Hobelsberger
( BlueScreen@IT-Checkpoint.net ) from
www.IT-Checkpoint.net
-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
- Previous message: Obscure: "Multiple Vulnerabilities in MDaemon + WorldClient"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
