OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Florian Hobelsberger / BlueScreen (genius28gmx.de)
Date: Tue May 07 2002 - 20:27:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    - ------------------------------------------------------------
    itcp advisory 14 advisoriesit-checkpoint.net
    http://www.it-checkpoint.net/advisory/14.html
    May 8th, 2002
    - ------------------------------------------------------------

    Lysias Lidik Webserver suffers from a Directory Traversal Vulnerability
    - -------------------------

    Affected programs: Lysias Lidik Webserver 0.7b
    URL: www.lysias.de
    Vendor: L.Y.S.I.A.S.
    Vulnerability-Class: Directory Traversal
    OS specific: Windows
    Problem-Type: remote

    SUMMARY

    Lysias Lidik Webserver is quite a small Webserver (Installation file is
    about 700 KB) and
    offers various features including SSL-Support.
    Further, it seems to be an attempt to create a secure webserver since "not
    allowed requests"
    are shown seperated from the usual requests.
    ( I love programmers who also think about the safety of their programs).

    DETAILS

    When trying to request http://localhost/../, it didn't work but the number
    of "not allowed requests"
    increased by 1.
    Then, trying it with http://localhost////./../.../ , it suddenly worked and
    i got
    the contents of E:, on which the Server root lies in \security.

    IMPACT

    The Server root can be exited and almost any file on the same disk could be
    downloaded
    (including password files or other sensitive information).
    It seems like it is not possible to enter directories in this way which have
    a space in
    their name (%20 at the browser).

    EXPLOIT

    If the webserver is running at localhost, just enter

    http://localhost/.../

    in the address windows at the browser.

    SOLUTION

    Since there already seems to exist a protection against regular Directory
    Traversal attempts
    (/../), this should be widened to prevent Directory Traversal attempts with
    three (or multiple) dots.
    Entering more than three dots doesn't work for me.

    ADDITIONAL INFORMATION
    Vendor has been contacted.

    Bug discovered and published by Florian "BlueScreen" Hobelsberger
    ( BlueScreenIT-Checkpoint.net ) from
    www.IT-Checkpoint.net

    -----------------------
    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any
    kind.
    In no event shall we be liable for any damages whatsoever including direct,
    indirect, incidental, consequential, loss of business profits or special
    damages.