OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon Jun 18 2001 - 20:09:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= Multiple Vulnerabilities In AMLServer =-

    Release date: Monday, June 18, 2001

    Introduction:

    Air Messenger LAN Server is a paging gateway server for MS Windows that
    allows you to send and recieve messages to a paging network
    over a TCP/IP LAN to phones, pagers and e-mail.

    AMLServer is available from vendor Internet Software Solutions's
    website: http://www.internetsoftwaresolutions.org

    Problem(s):

    AMLServer Directory Traversal Problem

    AMLServer's "Webpaging" http interface is susceptible to a directory
    traversal attack. Adding the string "../" to a URL allows an
    attacker access to files outside of the webserver's publishing
    directory. This allows read access to any file on the server.

    AMLServer Plaintext Password Storage

    A second problem is found in the file pUser.Dat. All
    username/password combinations applicable to the various services
    provided by AMLServer are stored in this file in plaintext.

    AMLServer Path Disclosure

    The mentioned userfile is stored in the server's main directory. The
    exact location can be obtained exploiting another problem in
    the web interface, a path disclosure bug. The http-header field
    'Location' contains the full path to servermaindir/Messages.

    For example:

    $ telnet target 80|grep Location

    Location: http://C:\PROGRA~1\ISS\AIRMES~1\Messages
    Connection closed by foreign host.

    (..)

    Solution:

    Vendor has been notified and has expressed the intention to fix
    these problems in version 4. Unfortunately, at the time of this
    advisory the vendor wasn't able to supply us with an approximate date
    for this "fixed" release so we have not been able to verify
    this.

    This was tested against AMLServer 3.4.2 on Win2k.

    yadayadayada

    Free sk8! (http://www.freesk8.org)

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net