Acme.Serve Java-based Web Server Lets Remote Users Read All Files on the Server
|
|
SecurityTracker Alert ID: 1001662 |
|
SecurityTracker URL: http://securitytracker.com/id/1001662
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 2 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): Acme.Serve v1.7 of 13nov96
|
Description:
A vulnerability has been reported in Acme Software's Acme.Serve java-based web server that allows remote users to read all files on the server.
It a remote user connects to the following URL, the remote user can browse the root directory of the host running Acme.Serve 1.7:
http://[targethost]:9090///
|
Impact:
A remote user can view all files on the web server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.acme.com/ (Links to External Site)
|
Cause:
Access control error, Input validation error
|
Underlying OS:
Java, Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 31 May 2001 22:34:16 +0200
Subject: Acme.Server v1.7 of 13nov96 Directory Browsing
|
----------------------------------------------------------------------
Date: 31.05.2001
Affected Software: Acme.Serve v1.7 of 13nov96 (http://www.acme.com)
Exploit: Browsing of directories and files allowed to unauthorized users
Keywords: Cisco Secure Administration, Netscape FastTrack, ...
Contact: AS19 Team (info@as19.org)
----------------------------------------------------------------------
Platforms: Sun + Unix
Details: Connect to http://potentialvictim:9090/// and you should have
access to the root dir of the machine running Acme.Serve 1.7.
http://potentialvictim:9090//etc/shadow and you can view the hash. You have
r00t privilegies.
Greetings, AS19 Team (http://www.as19.org)
|
|
