BWS v1.0b3 Directory Transversal Vulnerability
From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/24/04
- Previous message: opticfiber: "Re: [work] Re: Major hack attack on the U.S. Senate"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "bugtraq" <bugtraq@securityfocus.com> Date: Sat, 24 Jan 2004 20:56:06 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: BWS (Borland Web Server / (Corel Paradox)
Vendors:
http://www.Borland.com
http://www.Corel.com
Corporate mergers confuses the specified vendor.
Versions: <= 1.0b3
Platforms: Windows
Bug: Directory Transversal Vulnerability
Risk: High
Exploitation: remote with browser
Date: 24 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bug
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
BWS is an old web server used as a webserver for "Corel Paradox relational
database web interface".
This server was version was built in year 98, and is mostly running on
win98.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The webserver uses a protection to avoid the directory traversal bug.
"//" is replaced to ""
"\." and "\.." is replaced to ""
"\" is replaced to "/"
"\\" is replaced to "//"
The server is also protected from classic Directory Transversal "/../".
The problem happens when the attacker uses the pattern:
"/..................../"
Or
"/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c" (Encoded version of
"\..\..\..\..\").
Which allows him to see and download any file in the remote system knowing
the path.
This allows any attacker to : Read and download any local file, and in most
cases retrieve the machine's password files and invade it (using
ssh,ftp,http,netbios,samba etc...).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
http:// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
Relevant Pages
... "Retrieving the COM class factory for remote ... WMS2008 server, do you have any example code. ... The correct version for WS2003 would be the WMS9 SDK ... The main download gets you code samples and .chm help files: ...
(microsoft.public.windowsmedia.server)
... Exploitation: remote, versus server ... Bug ... Fix ... The IGI 2 server is affected by a format string bug in the logging ...
(Bugtraq)
... Exploitation: remote, versus server ... Bug ... Fix ... The IGI 2 server is affected by a format string bug in the logging ...
(Full-Disclosure)
... Exploitation: remote, versus server ... Bug ... Fix ... The IGI 2 server is affected by a format string bug in the logging ...
(Full-Disclosure)
... The progress window showed a message downloading. ... another large message that was also still sitting on the server. ... This is because the message actually being download was ... (However, I'm pretty sure that at the time I discovered the bug, ...
(microsoft.public.mac.office.entourage)
