PinkNet Web Server Discloses Files on the System to Remote Users
|
|
SecurityTracker Alert ID: 1007080
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 29 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 2.0.2
|
Description: Ziv Kamir reported a vulnerability in the PinkNet Web Server. A remote user can view files on the system that are located outside of the web document directory.
A remote user can reportedly supply HTTP GET requests containing '../' directory traversal characters to the server to view arbitrary
files on the system with the privileges of the web server.
Some demonstration exploit URLs are provided:
http://[target]/./../main.conf
http://[target]/./.././..
/./../winnt/repair/sam._
The vendor has reportedly been notified (on June 25, 2003).
|
Impact: A remote user can view arbitrary files on the system with the privileges of the web server.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: pnws.pinknet.cz/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Ziv Kamir <vulncode@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 28 Jun 2003 23:22:39 -0700 (PDT)
From: Ziv Kamir <vulncode@yahoo.com>
Subject: Vulnarbility Under PinkNet Web Server 2.0.2
|
This is a multi-part message in MIME format.
--------------080308010406050500020505
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
hi ,
------------------------------------------------------------------------
Do you Yahoo!?
The New Yahoo! Search
<http://us.rd.yahoo.com/search/mailsig/*http://search.yahoo.com> -
Faster. Easier. Bingo.
--------------080308010406050500020505
Content-Type: text/plain;
name="PinkNet.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="PinkNet.txt"
29/06/03
Ziv Kamir
---------
-------------------------------------------------------
Application: PinkNet Web Server
Web Site: pnws.pinknet.cz
Versions: 2.0.2
Platform: Windows
Bugs: Directory traversal Bug
Credits:
########
#################################
# #
# Ziv Kamir #
# #
# Email : vulncode@yahoo.com #
# #
# #
#################################
---------------------
1) Bug
2) The Code
3) Fix
=======
1) Bug
=======
PinkNet Web Server suffers from Directory traversal , it is possible to break out of the web root and
read arbitrary files from the
server .
===========
2) The Code
===========
Directory traversal
===================
To View The Web Server Config File :
####################################
http://10.10.10.1/./../main.conf
To View The Sam File :
######################
http://10.10.10.1/./.././.././../winnt/repair/sam._
======
3) Fix
======
Date of Vendor Notification:
25/06/03
Status:
==============================================================================================
*** The Data is for educational purpose only. ***
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages.
==============================================================================================
--------------080308010406050500020505--
|
|
