[ RFP Note: three similar advisories by the same author have been combined
into one post. The first one is a problem in LilHTTP web server; then
there are two problems in Essentia web server. ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

LilHTTP Web Server Protected File Access Vulnerability

Type:

File Disclosure

Release Date:

February 21, 2002

Product / Vendor:

LilHTTP Web Server is very small yet powerfull Web Server. This
server weighs in at just under 120k in size as a stand-alone EXE
file. It features security, Server Side Includes and CGI support.
LilHTTP is very easy to configure and to setup.

http://www.summitcn.com

Summary:

It is possible to construct a web request which is capable of
accessing the contents of password protected files/folders on the
webserver.

http://host/./protectedfolder/protectedfile.htm

Tested:

Windows 2000 / LilHTTP Server 2.1

Vulnerable:

LilHTTP Server 2.1 (And may be other.)

Disclaimer:

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:

Tamer Sahin
tssecurityoffice.net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPHQ2/ruLpFMrXtywEQLMXgCffazlrQvxLvsRTimMB4+A+1F4Rw0AoNOl
rEI1L27iKmvcezKhl2L0WBnm
=aJe4
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Essentia Web Server Directory Traversal Vulnerability

Type:

Directory Traversal

Release Date:

February 22, 2002

Product / Vendor:

The Essentia Web Server provides Enhanced Web Application and
Communication Services. Whether you are setting up a simple Web Site
on your Corporate Intranet or creating large sites for the Internet,
Essentia provides a simple and flexible way to make an even stronger
Web and Applications Platform.

http://www.essencomp.com/

Summary:

Adding the string "/../" to an URL allows an attacker to view and
download any file on the server.

http://host/../../

Tested:

Windows 2000 / Essentia Web Server 2.1

Vulnerable:

Essentia Webserver 2.1 (And may be other.)

Disclaimer:

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:

Tamer Sahin
tssecurityoffice.net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPHWC9buLpFMrXtywEQLARwCdEYO534J8Q1l8evjoaIEz6H0zo/oAn1/u
Fnta5tnU3XnGJTg0hQk16gvz
=j6o+
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Essentia Web Server DoS Vulnerability

Type:

DoS, crashes Daemon

Release Date:

February 22, 2002

Product / Vendor:

The Essentia Web Server provides Enhanced Web Application and
Communication Services. Whether you are setting up a simple Web Site
on your Corporate Intranet or creating large sites for the Internet,
Essentia provides a simple and flexible way to make an even stronger
Web and Applications Platform.

http://www.essencomp.com/

Summary:

Essentia Web Server is subject to a denial of service. Submitting a
request of unusual length to the host will cause the server to crash.
A restart is required in order to gain normal functionality.

http://host/AAAAAA...(Ax2000)...AAAAAA

Tested:

Windows 2000 / Essentia Web Server 2.1

Vulnerable:

Essentia Webserver 2.1 (And may be other.)

Disclaimer:

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:

Tamer Sahin
tssecurityoffice.net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPHWDiLuLpFMrXtywEQJW/QCfdSnEKS+NAqf/cpNSUi3qp6elkScAoIZc
a6uytdMvGpyQtxA0z8eXlWMn
=RHts
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]