OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Wed Feb 07 2001 - 15:46:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerability in Soft Lite ServerWorx

        Overview

    Soft Lite ServerWorx v3.00 is a web server available from
    http://www.zdnet.com and http://www.softlite.net. A vulnerability exists
    which allows a remote user to break out of the web root using relative
    paths (ie: '..', '...').

        Details

            http://localhost/../[file outside web root]
            http://localhost/.../[file outside web root]

        Solution

    > From: "SoftLite Tech Support" <supportsoftlite.net>
    > Reply-to: "SoftLite Tech Support" <supportsoftlite.net>
    > To: <joetestahushmail.com>
    >
    > Hi,
    >
    > Are you running ServerWorx 5.0?
    >
    > If you try using this instead, you will see that any attempt to access
    > a file outside the root of the web will show an "access denied"
    > message.
    >
    > We have now dropped support for ServerWorx 3, and suggest to all our
    > users to move to the new version.
    >
    > Many thanks for the report anyway,
    > Alexander Holcombe.

        It should be noted that I have not been able to obtain version
    5.0, and thus, I urge users to proceed with caution.

        Vendor Status

    SoftLite International was contacted via <serverworxsoftlite.net> on
    Sunday, January 28, 2001.

          - Joe Testa ( e-mail: joetestahushmail.com / AIM: LordSpankatron
    )

    ----- Begin Hush Signature v1.3 -----
    EWErWXDxI3mwBQYaJpuuNbsBG5sWzHLp70NcKQkEpzdxMmldcav8Tr8hGZFq3JQ/hP40
    EZ2S7bQOeMOym6Zpn/QJxLAQSAlCPJDJ31AhV+sqRJOsR6pJS7kAtHuT2gxxgJQV1mNb
    RO0QSw+rt4WEKh9/WO3aW4fvzvpRHX043Ca6nQCKnw+hTMf1yOSxeZ5wC1WP7sjcegr+
    w94cNImHwoNjBg6SjCt4qIyeckW2jR+BYv/ZXDj/Ja/WjwKwPpqZ5L4BFTNz64iONiqK
    aOC6TwFuYe7VQ+X1+HBzPF3RPOD5RyRbtT7S6EZSBtjwAGksvXEHFNlbzsTPVLkxmIK7
    CCmsFPT+lYvMNrEQyUlWlLPY4jead1aUhYXKrQO+LGgGYUa/5jlJ50OoML0UW4V7QTOi
    BKGSBkE+b92GOqCw21BLCCSMedDqiBJ/OY2pJhhe6xfoJofuAqvUTzTBSvvxoOzW2L0m
    RxYc5h7ko0B07FMCIoQz58oVDwVhrZR8id+NEq4G52Hr
    ----- End Hush Signature v1.3 -----
    \n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n

    IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.