07.29.2010 | STERLING, VA
PUBLIC ADVISORY: 10.15.02
PUBLIC ADVISORY: 10.15.02
PUBLIC ADVISORY: 10.15.02
DoS and Directory Traversal Vulnerabilities in WebServer 4 Everyone
I. BACKGROUND
RadioBird Software's WebServer 4 Everyone is a free "Powerful, MultiClient, yet Easy to handle and maintain, WebServer.". It is available for download at http://www.freeware.lt/ .
II. DESCRIPTION
Issue 1:
Improper bounds checking allow attackers to launch a denial of service (DoS) attack, causing the web server to crash. The condition is triggered when the software receives a request for a long filename, such as GET /AAAAAAAA...3000...AAAA HTTP/1.1 .
Issue 2:
A directory traversal issue exists. The software can be duped into serving a restricted file. This is done if an attacker issues a directory traversal request with the hexadecimal representation for the front slash character (%2F). For example, if the URL http://target.server/%2f..%2f..%2f../winnt/repair/sam were sent to a target server, the SAM table would be retrieved.
A vulnerability exists that provides attackers access to arbitrary files on the server running the application.
III. ANALYSIS
For Issue 1, exploitation could allow an attacker to deny legitimate users access to the server and the contents that it provides.
For Issue 2, exploitation allows an attacker to obtain sensitive information, such as the Windows NT SAM table. This kind of information can allow further compromise of the targeted host. Sensitive information such as credit cards can also be retrieved.
Customers should note that an remote user with access to the application can launch these attacks.
IV. DETECTION
iDEFENSE has confirmed the existence of both vulnerabilities in WebServer 4 Everyone, versions 1.23 and 1.27. Earlier versions are likely affected, as well.
V. VENDOR FIX
Leonardas Survila of Radiobird Software released WebServer 4 Everyone, version 1.30, which fixes the problems. It is downloadable at ftp://ftp.freeware.lt/anonymous/Soft/w4asetup.exe.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1212 to Issue 1 and CAN-2002-1213 to Issue 2.
VII. DISCLOSURE TIMELINE
VIII. CREDIT
Tamer Sahin (ts@securityoffice.net) discovered both of these vulnerabilities.
RadioBird Software's WebServer 4 Everyone is a free "Powerful, MultiClient, yet Easy to handle and maintain, WebServer.". It is available for download at http://www.freeware.lt/ .
II. DESCRIPTION
Issue 1:
Improper bounds checking allow attackers to launch a denial of service (DoS) attack, causing the web server to crash. The condition is triggered when the software receives a request for a long filename, such as GET /AAAAAAAA...3000...AAAA HTTP/1.1 .
Issue 2:
A directory traversal issue exists. The software can be duped into serving a restricted file. This is done if an attacker issues a directory traversal request with the hexadecimal representation for the front slash character (%2F). For example, if the URL http://target.server/%2f..%2f..%2f../winnt/repair/sam were sent to a target server, the SAM table would be retrieved.
A vulnerability exists that provides attackers access to arbitrary files on the server running the application.
III. ANALYSIS
For Issue 1, exploitation could allow an attacker to deny legitimate users access to the server and the contents that it provides.
For Issue 2, exploitation allows an attacker to obtain sensitive information, such as the Windows NT SAM table. This kind of information can allow further compromise of the targeted host. Sensitive information such as credit cards can also be retrieved.
Customers should note that an remote user with access to the application can launch these attacks.
IV. DETECTION
iDEFENSE has confirmed the existence of both vulnerabilities in WebServer 4 Everyone, versions 1.23 and 1.27. Earlier versions are likely affected, as well.
V. VENDOR FIX
Leonardas Survila of Radiobird Software released WebServer 4 Everyone, version 1.30, which fixes the problems. It is downloadable at ftp://ftp.freeware.lt/anonymous/Soft/w4asetup.exe.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1212 to Issue 1 and CAN-2002-1213 to Issue 2.
VII. DISCLOSURE TIMELINE
| 10/06/2002 | Issue disclosed to iDEFENSE |
| 10/14/2002 | Vendor notified via e-mail to ulterior@freeware.lt |
| 10/14/2002 | iDEFENSE clients notified |
| 10/14/2002 | Response received from Leonardas Survila (leonardass@iki.lt) |
| 10/15/2002 | Vendor fix created |
| 10/15/2002 | Coordinated public disclosure |
VIII. CREDIT
Tamer Sahin (ts@securityoffice.net) discovered both of these vulnerabilities.
Vulnerability Advisories: 